Number 1 January 1977 


TABLE OF CONTENTS 


Why Cryptologia Brian J. Winkel, Editor 


The Cryptology of Multiplex Systems 
Greg Mellen and Lloyd Greenwood 


A Different Krad of Column Barbara Harris 
f, > 


/ 39757 
"Crdeking"4M Rahdom@ Number Generator James Reeds 
Cu VO Vag Fm 
x Á ^ = 


> S YES * 
The |BkaBest-BtéLiographó 47 Hz David Kahn 
IM Slo) tp e G ; 
A RPA Td - kahhu/s Review C I Of id Shulman 
“NS M > ; 


A 


Be SUNRISE X 
Unicity Points imCryptenalysi> 
RRB 
Cipher Equipment 


Some Cryptographic Applications of Perituat idi Po 
Jack Levine ann ÑW Brawley 


Poe Challenge Cipher Finally Broken Brian J. Winkel 
Biographies of Contributors 


Epilogue and Notice to Authors 


5 
Q 
call 
Q 
fe 
321 
v 


© 1977 By DEPARTMENT OF MATHEMATICS, 
ALBION COLLEGE, ALBION, MICHIGAN 49224 U.S.A. 


ISBN: 0-89412-014-X 


Published By AEGEAN PARK PRESS 
P.O. Box 2837, Laguna Hills, California 92653 


Manufactured in the United States of America 


CRYPTOLOGIA 


A Journal Devoted to All Aspects of Cryptology 


Editors and Founders 


Cipher A. Deavours, ScD Brian J. Winkel, PhD 
Department of Mathematics Department of Mathematics 
Kean College of New Jersey Albion College 

Union, New Jersey 01083 Albion, Michigan 49224 


David Kahn, DPhil 
Department of Journalism 
New York University 
Washington Square 

New York, New York 10003 


STAFF 


Kathy Cavill, Layout Editor 
Guy Schwartz, Business Manager 
Louise Westcott, Art Editor 
Kathryn Foerster, Assistant 
Katherine Rehm, Assistant 


Karen Coats, Assistant 


Produced at: Distributed by: 
Albion College Aegean Park Press 


Albion, Michigan 49224 P.O. Box 2837 
Laguna Hills, CA 92653 


Cover design: Margaret Sue Benjamin and Louise Westcott 


Supported in part by NSF Grant IG-3454 
Assistance of the Departments of Mathematics at Kean College and 


Albion College is acknowledged and greatly appreciated. 


CRYPTOLOGIA 


WHY CRYPTOLOGIA? 


Brian J. Winkel, Editor 


In an effort to provide communications among teachers of cryptology and 
to encourage our colleagues to consider cryptology, either wholly or in 
part for their own teaching, Cipher Deavours (and it really is Cipher) 
suggested that we might start a newsletter devoted to cryptology, and 
more specifically to the mathematical aspects of the science. So it 
was that CRYPTOLOGIA was conceived. This all came from a common past 
that included the National Security Agency experience, David Kahn's 

The Codebreakers [2], D. C. B. Marsh's article, "Cryptology as a Senior 
Seminar Topic" [3], and then courses of our own in cryptology at the 


college level. 


After initial contact with some of our crypto friends it became appar- 
ent that there was a need for a journal devoted to cryptology, not just 
mathematical cryptology, but all aspects of cryptology. Thus we asked 
David Kahn, whose interests and expertise in cryptology are well docu- 


mented [2], to join with us. 


We are grateful to all those early friends, especially Greg M ‘len, 

Jack Levine and other members of The American Cryptogram Association [1], 
who have encouraged and supported us from the beginning. And we look 
forward to a continuing association with Barbara Harris in her column 

on non-mathematical cryptology and Lou Kruh in his column on machines 


and devices. 


We hope to add more regular features, perhaps a column on historical 
materials or computer encryption or ancient languages or personal ac- 
counts, etc. We want to hear from you, the reader and potential writer. 


Please send us your suggestions, questions, and manuscripts. 


January 1977 2 


We need readers (referees) in all areas and if any of you would like to 
offer your talents we should be most happy to use and acknowledge your 


efforts. Drop us a note indicating your interests and qualifications. 


We also very much need papers in the non-mathematical and non-computa- 
tional area of cryptology. Certainly both research and survey papers 
are welcomed as are reviews, short notes, and items of interest. The 
latter could be as far reaching as personal accounts, notices of sources, 
inquiries and queries, pedagogical concerns, criticisms, archival mate- 
rials, technical notes, messages for solution which are of broader in- 
terest than just solving, etc. We hope to be regular (quarterly) but 

as we are new at this game we can only promise to try to produce a good 
product and that priority comes before regularity. 


In such a venture there can be many goals. As a college teacher of 
mathematics one may desire to share the very beautiful cryptographic 

and cryptanalytic mathematics in cryptology with fellow teachers. Others 
wish to use CRYPTOLOGIA to publish new results while still others may 
want to announce new historical and linguistic finds. Some have ex- 
pressed a desire to use CRYPTOLOGIA as a sounding board for what is 
obviously a need in the computer world, i.e., education of all users in 
data security, in particular, data encryption. Still others wish to 


share information on memorabilia, crypto devices, military materials, 
etc. 


While we realize that we can not be all things to all people we do 
throw all these possibilities out to you to indicate that we are truly 
interested in all aspects of cryptology. The frequent use of etc. is 

a sure sign of our open-minded position. Perhaps the most important 
areas in which we are interested are the areas we know little or nothing 
about, and you do! Let us hear from you, we need to know what you have 


to say. 


CRYPTOLOGIA 


One final word and that is a big thank you to Wayne Barker of Aegean 
Park Press, Laguna Hills, CA. for taking us on and printing CRYPTOLOGIA. 
You might imagine the response from some commercial printers when 

asked to publish a journal on cryptology. We are very grateful to 
Aegean Park Press and we recommend their other efforts in the field of 


cryptology to you. 


Good reading and thank you. 


References 


1. American Cryptogram Association, 9504 Forest Road, Bethesda, MD 20014. 
2. Kahn, David, The Codebreakers, The Macmillan Co., New York, 1967. | 


3. Marsh, D. C. B., "Cryptology as a Senior Seminar Topic", The American 
Mathematical Monthly, 77 (1970) 761-764. 


January 1977 4 


THE CRYPTOLOGY OF MULTIPLEX SYSTEMS 


Greg Mellen and 
Lloyd Greenwood 


Abstract 


Multiplex systems are a family of cryptosystems whose origin can be traced to 
Thomas Jefferson. They were not used extensively, however, until the period 
just prior to World War II. The characteristic feature of a multiplex system 
is that it permits the encipherer to select the ciphertext from among 25 
alternatives, reducing the likelihood that the same block of plaintext will 
result in identical blocks of ciphertext. 


This paper traces the history of multiplex systems and examines both their 
cryptographic and their cryptanalytic aspects. The computer simulation of one 


system, U.S. Army Signal Corps Cipher Device, Type M-94, is described. 


Part 1: CRYPTOGRAPHY 


Background 


Multiplex systems are a family of cryptosystems which use the same algorithm 
for converting plaintext (pt) to ciphertext (ct). The distinctive feature of 
the algorithm is that, for a given block of pt, the encryptor is free to choose 


the ct from among 25 variants. 


The earliest extant reference to a multiplex system is in the papers of 
Thomas Jefferson, probably dated 1790 [1]. Jefferson describes a ‘ ‘wheel 
cypher?* comprised of 36 discs, each bearing an alphabet on its rim, mounted 


on a central shaft. Possibly the idea was inspired by padlocks of similar 


CRYPTOLOGIA 


appearance dating from the seventeenth century or earlier, the principle of 


which persists in the familiar numerical lock of PAPIR cases [2]. 


In 1891 Major Etienne Bazeries, apparently unaware of Jefferson’s work, proposed 
a nearly identical device of 20 discs for use by the French Army. Though re- 
jected, the **Bazeries cylinder’’ continues to give its name to one form of 


multiplex system [3]. 


The algorithm was again ‘‘invented’’ in 1914 by Captain Parker Hitt, USA, this 
time as a ‘‘strip cipher’’ [4]. Hitt’s idea was adopted (in cylinder form) as 
the Army’s field cipher in 1922 by William F. Friedman, then Chief Cryptanalyst 
of the Signal Corps. Friedman was the first to use the term **multiplex 


system** to describe the algorithm [5]. 


In the late Thirties, the U.S. State Department chose a multiplex system as its 
most secret means of communication. During World War II, both Allied and Axis 
powers used variations, and as late as the mid-Sixties, the U.S. Navy employed 


a version [6]. 


Though obsolescent if not obsolete in a world of computers, multiplex systems 
would be a proper object of study if only for their colorful history. Yet 
their study illuminates areas of cryptographic strengths and weaknesses which 
hold true for computer-based gryptosystems. 


t 


Basic Principles 


Figure 1 illustrates the strip-cipher multiplex system. A rigid frame holds 


25 strips which may slide with respect to one another. Each strip bears a 


different mixed alphabet. Each alphabet is repeated on the strip, so that 
regardless of the relative positions of the strips, there are always at least 
26 complete columns. An index line at the center of, and attached to, the 


frame bisects the strips. 


January 1977 


INDEX LINE— 


2 
= 
e 
N 
x 
æ 
E 
o 
N 
x 
o 
- 
* 
z 
> 
> 
> 
u 
= 
a 
oO 


ABCE 


JKTLMOUVYGZNPQXRWS BIAC 


AF 


NXFYQRTVWLIAD 


[^ 
o 


RaRNEEEEHBGGBEE 


FGJHLKMRUOQVPTNWYXZSIAE 


XLURNDYZHWBJSOQOFK 


AGP OC 


KPVROGSYDULCF 


AHXJEZBN 


VTZEFHGYUNLP 


AJDSKQO 


AJ 
AK 


SRDVE WO[AM| 


LUHBMKGXUZTSWOYVORPFE 


ms 


UQHZCTXBLEGNYRSM 


YKSGUENTCXOWFQDRLJ 


MWZRVLXCSHDEOKFP 


24 ACDEHFI 


3ADKOMJUBGEPHSCZI 


100AKELBDFJGHONMTPROSVZUXYMWMI! 


[H[AL TMSXVOPNOHUWDIZYCGKRFBE J|AL 


12011AMNFLHOGCUJTBYPZKX 


13JANCAJ! 


1MJAODWPKJV 


15} AP BVH 


1$9AQJNUBTGI 


BKLN 


WIARMYOFTHEUSZJXDPCWGQI 


[s] 


RBSEKUPDZQ 


ATOJYLFXNGWHVCM 


AUTRZXQLY 


| 
x 


OVBPESNHJWMDGFC 


EBHKNRJQZGMXPUCOT 


TUFOYHMLSI!I 


WVSFDL 


Q N J C P G B ZJA Y 


BQOWUGLOSTECHNZFRI DAY | 


J2,AZDNBUHYFWJLVGRCQOMPSOEXTKI{AZ | 


Strip Cipher 


Figure 1. 


the 


3 


may vary from 20 to 30 


» or alphabets, 


(In practice, the number of strips 


number is invariant within messages and normally invariant among messages for 


For convenience, 25 alphabets are assumed 


the prevailing cryptoperiod [7]. 


for all examples in this paper.) 


the strips are permuted in accord with the current key, 


To encrypt a message, 


For example, if the key is codex byzantium, 


perhaps derived from a keyword. 


the key letters are repeated until they number 25; the letters are then numbered 


in alphabetical order: 


The 


CRYPTOLOGIA 


4 23 25 2 14 18 
Decryptment. 


The ct is then taken off by 
: SDNMBYZGML. 
YKSGU 
CARL 
DAYJ 
TJBRHCYSL 
OVBP 
GDJFVUYMH 
| 
B. 


VTZEFHGYUNLPMB 
A. Encryptment. 


ECHNZFR 
DAYJPXMVKBQWUGL 


KPVROGS YDULCFMQ 
T 


13 17 11 1912 «6: 16. -8 10 21 


JAWVSFDLIEBHKNRAJOZG 


GLOSTECHNZFR 


1 


LDHBMKGXUZTS WQYVO|RP } 


AFNQUKDOP 


Strip Cipher. 


peterpiper. 
OVBPESNHJWMDGFCKAU T[RZ ] 


NXFYORTVWLADKOMJUBGE[PH' 
EBHKNRJOZGMXPUCOTYAWVSFD I]! E | 


PXMVKBOWUGLOS 
[A DKOMJUBGEPHSCZINXFYO 


AJDSKOQOOI 
BPESNHJWMDGFCKAUTRZXQLY 


S become | and 2, the two b’s become 3 and 4, and so on. 


A) 
reading down any other, arbitrarily selected, column 


JANCJI 


TJ BRHCYSLWEMZVXGAFNQUKDO 
KPVROGSYDULCFMOTWAHXJEZBN 


ENTCXOWFODRLJZMAPBVHI 
GDJFVUYMHTOKZOLRXSPWNABC 


920 32224 
Figure 2. 


[AH XJ EZ BN I 
EFHGYUNLPMBXWCRAJDSKQOI! 


LDHBMKGXUZTSWOYVORPFEANCAJ 


MHTOKZOLRXSPWNABCE 


RZXQLYI! 
PHSCZ 


Next, the strips are slid so as to align the pt to the right of the index 


line (Figure 2- 


9 
9 
g& 
9 
3 
c 
9 
oO 
1 
po] 
zi 
mL 
H 
9 
Es 
v 
Y 
o 
u 
o 
bz] 
pa 
o 
g 
Gal 
8 
M 
ui 
9 
Es 
I 
g 
i 
Y 
9 
ob 
g 
kj] 
H 
H 
Lj 
g 
9 
= 
- 
v 
H 
Lj] 
n 
A 
bs] 
M 
- 
[7] 


7 
Thus the two a* 


5 15 


January 1977 8 


To decrypt, the process is reversed (Figure 2-B). The strips are set up with 
the ct to the right of the index line, and the other columns are scanned to find 


the one colunn which yields pt. 


With but minor variations, this is the principle of all multiplex systems. It 
will be noted that the pt is encrypted and the ct decrypted in blocks of 25 

letters. The ct is a form of polyalphabetic substitution. Polyalphabetic sub- 
stitution, in contrast to the monoalphabetic substitution of newspaper crypto- 


grams, provides two or more cipher substitutes for each pt character. 


Most polyalphabetic cryptosystems, by rule or by mechanism, rigorously specify 
the cipher substitute to be used at each stage of encryption. A multiplex 
system, as has been shown, permits the user to choose arbitrarily one of 25 
different substitutes for the first pt letter of each block. (Selecting the 
substitute for the first letter of course determines the substitutes for the 
remaining letters in the block.) 


Cryptographic Considerations 


Friedman, in the body of his patent for a strip-cipher device [8], states **The 
letters on the alphabet strips may be in normal order or in disarranged 

order; if the latter, the various alphabets may or may not be different.’’ 
However, it can be demonstrated rather easily that for any degree of security 


worthy of the name, the alphabets must be different. 


First, if all alphabets are the same and in normal order, any ct column is but 


a Caesar cipher of the pt; the pt may be recovered merely by running down the 
alphabet. Thus: 


ct: LAPAN LELAN. . 
mbqbo mfmbo . 
noaorop A SREP: év 
odsdq ohodq . 

pts peter piper. 


Second, if all alphabets ar 
cannot be recovered by runn 


is still rather easy. Cons 


CRYPTOLOGIA 


e the same but in disarranged order, though the pt 
ing down the normal alphabet, the recovery of the pt 


ider the following short message: 


Careful examination reveals 
different constituent lette 
(1) 


TINC 


FYS 


WSD 
RPW 
(2 WUJ 
RO 


BLU 
GER 


GN 
AD 


(3 MND 


YDQ 
By chaining, we derive the 
(1) T-Z; J-F-I-A; N-Y; C 


(2) 


(3) 


TJNCJ IVWSD GTORV WGSFG SFJTS JGQAJ 
DNYHJ XNZGN PJXNM NDZEN KLSBT RWUJI 
XQJBL UBYJL UPVWL AXOPF QPALX FGGDL 
UDALG LGGQK NJTTL XIAKL YIMIH XLJSJ 
PQMIX CADMT SDYDQ CRDWD TSDON GTRVD 
TWXJA OALEZ ALEKT EYKCC GEEKB RNROQ 
FBOGE RGHOE RXANE ENGRR DVJRI RZJKB 
RARJJ RPKVA YQRFR PZFYS FAQRP WUZVL 
QRUPI UPIFZ FHFPM JGQAF GHBHG i TAPE 
EAFQH DCVFI CWCVX UWHNX 


three isomorphs, i.e., ct patterns which recur with 
rs. They have been underscored above: 
RVWGSFGSFJT 
LORUPIUPITPTZ 
BY L'UPVW 


GH ERXAN 


iz 


following partial sequences for each group: 


-S-P; O-V-Q; D-W-R-L: G-U. 


W-N; U-R; J-0; I-Q-B-G; P-X-F; L-E; Y-H; V-A. 


Z-C; G-A; N-D-Q; P-M; J-T; X-S; M-Y; E-R. 


January 1977 10 


We will attempt to recover the mixed alphabet by a geometrical technique [9]. 
We assign the chains of group 1 to the X axis and the chains of group 2 to the 
Y axis. Much in the manner of a crossword puzzle, we begin to interlock the 


chains and at an early stage have: 


The relative position of **X'* and **S?* (X-S is one of the chains of group 3) 
establishes that the chains of group 3 run diagonally upward from right to left. 
This fact permits us, piece by piece, to add the remaining chains to the diagram. 
After removing redundant letters (else we would end up with a 26 x 26 array) 


we have: 


VQ-GUNYECSPJFIABDWRLHMTZXO 
ABDWRLHMTZXOVQ-GUNYECSPJFI 
"GUNYECSPJFIABDWRLHMTZXOVQ 
DWRLHMTZXOVQ-GUNYECSPJFIAB 


Adding the missing letter (obviously **K??), we obtain the single 26-letter 


sequence: 
ABDWRLHMTZXOVQKGUNYECSPJFI 


Decimation of this sequence at interval 17 reveals the original mixed alphabet, 


based on the key codex byzantium: 
CODEXBYZANTIUMFGHJKLPQRSVW 


One can now read the original message by running down this alphabet. Moreover 
(an important point when we later attempt to recover unknown alphabets), the 
undecimated sequence may also be used: The order in which the generatrices 


are recovered is immaterial so long as they maintain proper relative separation. 


CRYPTOLOGIA 


This example, manipulated as it is for reasons of space, clearly shows that to 
avoid isomorphism, the mixed alphabets of a multiplex system must differ from 
one another. There being approximately 4 x 1026 mixed alphabets, one need not 


fear a shortage. 


Another phenomenon of cryptographic interest arises from the freedom of the 

encryptor to choose from among 25 ct variants. With proper coordination the 
identical pt message, enciphered in the same key, can result in twó or more 

apparently unrelated ct messages. One could indeed, create 25 different 

Ct messages from the same pt in the same key. There are circumstances where 


this characteristic could be used advantageously. 


Yet if an unauthorized recipient had the 25 different ct versions of a given 
Pt message, he could read the pt without effort and without knowing anything 
of the underlying cryptosystem. Since multiplex systems are noncrashing (no 
pt letter may substitute for itself in the ct), the pt character in any 
position would be the letter absent from the set of ct characters for that 
position. 


A final point of cryptographic interest is the total unsuitability of multi- 
Plex systems for the second stage in superencipherment, that is, the encipher- 
ment in another system (or key) of text which has already been enciphered. 
Successful decryptment depends on the ability of the decipherer, whether man 


or machine, to recognize the pt generatrix. 
Selection of Cryptoperiod 


Shannon [9] has shown that for all cryptosystems save one (the one-time random 
key), there is a critical mass of identically keyed ct which in theory would 
permit an enemy to analyze and solve the system. In simple substitution, for 


example, this minimum amount is on the order of 27 to 30 characters. 


The user of a cryptosystem, then, should change the key frequently enough so 


that an enemy is unlikely to get enough text in one key so as to be able to 


January 1977 12 


read that set of messages. The use of the term ‘‘unlikely’’ correctly implies 
we are dealing with probabilities and not certainties. The important factor is 
the amount of text encrypted by a single key. But practical considerations of 


the operating environment dictate that keys be changed on the basis of time 


rather than volume of text. 


The ideal would be a new key for every message, with the maximum length of a 
single message strictly specified. As will be demonstrated later, the ideal is 
rather easy to implement in the computer. For practical use among manual users, 
however, the ideal may be considered unattainable, A World War II text out- 
lines the problem: 


Messages cryptographed by the same sequence of alphabet[s] can re- 
main secure against solution by a well-organized and efficient enemy 
cryptanalytic section for only a relatively short time. It is im- 
possible to state exactly how long, because solution depends upon a 
number of variable factors; a conservative estimate would place the 


minimum at six hours, the maximum at two or three days. [11] 


Once set up in a given key, a multiplex system may be thought of as simple sub- 
stitution with 25 variants and a different alphabet for each position in the 
block. Hence, once an enemy has about 30 ct blocks from the same generatrix, 
he has, in theory, sufficient material to solve that generatrix. With that 
large an entry, a number of the other generatrices may be solved as well. 

Nor need the generatrices be recovered in their original order. As the 
solution by isomorphs has shown, any decimation of the correct order will 


suffice to break the key. 


In theory, if the encryptor selects the ct generatrices at random, an enemy who 
intercepts 520 ct blocks in the same key has an even chance that at least 30 
blocks are derived from the same generatrix. [12] In other words, a user who 
encrypts 13,000 or more characters in the same key is giving the enemy an even 
chance of reading that set of message. Most users will, of course, demand 


far better security than that. 


CRYPTOLOGIA 


Cipher Device, Type M-94 

The multiplex system adopted by Friedman for Army field use in 1922, and which 
saw service until the middle of World War II, is embodied in the U.S. Army 
Signal Corps Cipher Device, Type M-94 (Fig. 3). The device consists of an 
endplate bearing a central shaft upon which 25 aluminum discs are mounted and 
secured by a knurled nut on the end of the shaft. Each disc has a different 
alphabet engraved on its outer rim, The endplate has a guiderule which projects 
over the rims of the discs, and which serves the same purpose as the index line 
in the strip cipher, When assembled, the M-94 forms an aluminum cylinder 12 cm 


long and 3.6 cm in diameter, weighing about 100 gm. 


Cipher Device, Type M-94 


Figure 3. 


U.S. Army Signal Corps 


January 1977 14 


The alphabets on the discs are identical to those in Figure 1. They have been 
attributed to Signal Corps? Lt. Joseph 0. Mauborgne, and in general show no 
method to their construction. The **R'* and **Y?*? alphabets (see below) are 


minor exceptions in that they incorporate the words ARMY OF THE US and FRIDAY 
respectively. 


The alphabets, ordered A-B, A-C, . . ., A-Z, are known as the B, C, . . ., Z 
alphabets. Each disc has its alphabet letter plus a number from 1 to 25 
(corresponding to B through Z) stamped on its inner surface for identification. 
The inner surface of each disc is also dentated, so that when the nut is 
tightened, each disc locks with its neighbor, the end disc locking with the 
endplate, and the cylinder is immobilized. 


To use the M-94, the discs are ordered on the shaft in the manner described 
above for the strip cipher, i.e., in accord with some key. To encrypt a pt 
block, the nut is loosened and the pt is aligned with the guiderule by rotat- 
ing the discs. Thereupon the cylinder is locked, and any legal generatrix 
is selected for the ct. 


Standing Signal Corps orders prohibited using the generatrix immediately above 
the pt for the ct, presumably to encourage greater randomness in its selection. 
In addition, the guiderule obscures the two generatrices beneath it. Thus, the 


M-94 effectively provides only 22 useable ct generatrices. 


Tests by the Signal Corps showed that the average speed of encryption by the 
M-94 was 1.75 five-letter groups/minute, and the average speed of decryption, 
1.78 five-letter groups/minute. Of the six types of encoding and encipher- 

ment tested in the series, the M-94 was the slowest. The fastest was a keyboard- 
equipped electrical printing cryptograph, which had an average speed of 30.00 
five-letter groups/minute for encryption and 25.00 five-letter groups/minute 

for decryption [3]. Despite the speed disparity, the small size and zero power 


requirement of the M-94 recommended its use under difficult combat conditions. 


1. 


Notes and References 


CRYPTOLOGIA 


Kahn, David, The Codebreakers, New York: The Macmillan Company, 1967, 
p: 192. 


The authors are indebted to Louis Kruh of the New York Telephone Company 
for this suggestion. 


Kahn, Op. cit., pp. 245ff. 


Ibid., p. 493. | 


Friedman, William F., Several Machine Ciphers and Methods for Their Solu- 


tion, Riverbank Publication No. 20, Geneva, IL: Riverbank Laboratories, 
1918, 


Additional details of the history of multiplex systems may be found in: 
Kruh, Louis, **The Cryptograph That Was Invented Three Times,’’ The 
Retired Officer, April 1971. 


A cryptoperiod is the time, e.g., one day, during which a given key is in 
effect. 


U.S. Patent 2,395,863. This is a curious patent in light of the prior three 
**inventions’’ of the system, There appear to be only three elements not 
found in earlier literature: A secondary frame which permits subsets of 
strips to be permuted in groups; a transverse hinge which permits the main 
frame to be folded, and feet for the frame to prevent slippage. Yet the 


patent claims cover the entire system. 


An alternate method of alphabet recovery may be found in: Gaines, Helen 
Fouche, Elementary Cryptanalysis, American Photographic Publishing Company, 
1943, pp. 178ff. This volume was reissued in paperback under the title 
Cryptanalysis by Dover Publications in 1956. 


January 1977 16 


10. 


11. 


$2. 


13. 


Shannon, C.E., **Communication Theory of Secrecy Systems,’’ Bell System 
Technical Journal, vol. 28, October 1949. 


TM 11-485, Advanced Military Cryptography, Washington, DC: War Department, 
8 June 1944, par. 65. No author is given but internal evidence suggests 
the writer is William F, Friedman. 


This is a ‘‘worst-case’’ assumption in that the 30 blocks from the same 
generatrix would not be identifiable as such. For a comprehensive 
mathematical treatment of the criteria and probabilities of identification, 
See: Kullback, Solomon, Statistical Methods in Cryptanalysis, National 
Security Agency, reprinted 1967, pp. 88-92. 


TM 11-485, par. 75b(1). 


NOTE: The second part of this article, dealing with simulation and crypt- 


analysis of multiplex systems, will appear in the next issue. 


CRYPTOLOGIA 


A DIFFERENT KIND OF COLUMN 


Barbara Harris 


When I was asked to write for "CRYPTOLOGIA" a question arose in my mind-- 
not what should I write, but rather what kind of writing should this be. 
The inner me kept saying, "Well, many of the readers are probably mathe- 
maticians." They are interested in matrix inversions and array manipula- 
tions, optimum algorithms for encipherment, information theory; they walk 
around muttering about phi tests and chi tests. They talk about the idea 
that nowadays no government can break anybody else's ciphez messages be- 
cause of the advanced computer techniques used. They obviously believe 
that people with that mysterious thing called "the cryptanalyst's mind" 
are no longer needed. After all, no one works with paper and pencil any | 
more. You must use a computer, and the text has tg have a minimum length 

of 4096 characters. I would have to write something mathematically 


slanted! 


Walking around in a state of depression at the idea that I'm supposed to 
be obsolete, I wandered into the public library. And there I came upon 
a reminder, in the form of a book, that there is still room on this planet 
for us dinosaurs. The book is The Journal of Beatrix Potter from 1881 to 


1897, by Leslie Linder (Frederick Warne & Co. Ltd., London 1966). 


For many years, from age 14 to age 30, Beatrix Potter, who gave the world 
the beloved Peter Rabbit, kept a Journal in cipher. It filled many, many 
notebooks; in a period of four and a half years she wrote 360 pages. The 
cipher was a simple substitution, which she never varied. In the early 
days, capital letters were underlined, but she dropped that later. But 
as time went by Miss Potter's writing got smaller and smaller. On one 
of the later pages, an eight by six and a half-inch sheet, there were 
more than 1500 words! She also used abbreviations, making decipherment 
more difficult; for example, gr. meant grandmother or grandfather. The 
writing became so difficult to read that Mr. H. L. Cox, who wrote the 


"Appreciation" of the book said, "Had only the later parts of the Journal 


January 1977 18 


“been preserved they would probably never have been deciphered." As a 
matter of fact, five weeks before her death Miss Potter herself wrote to 
& cousin "I used to write long-winded descriptions, hymns(!) and records 
of conversations in a kind of cipher shorthand which I am now unable to 
read even with a magnifying glass." 


Leslie Linder first saw the never-deciphered Journal in 1952, and ir 

1953 he was allowed to take some pages home to work on. He makes no men- 
tion of showing the cipher to cryptanalysts, but evidently worked on it 
by himself, with no success. (He also makes no mention of using any 


standard cryptanalytic techniques, such as taking a frequency count.) 


Then on Easter Monday 1958, Mr. Linder randomly chose a sheet and noticed 
the Roman numerals XVI and Arabic numerals 1793. He looked up Louis XVI 
(in the Index to the Children's Encyclopedia) and found that Louis was 
guillotined in 1793. "Here was a possible clue!" he writes. On the 

same line of cipher there was a word with the second cipher symbol an "x" 
which suggested the word "executed." Then, he writes, the word turned 
out to be execution, "and the likelihood of this word was confirmed by 
noticing that it appeared to contain nine cipher-symbols, of which the 
first and third were the same." Yes, normal word breaks were used 
throughout the Journal. 


Of course the cipher was now cracked, and Mr. Linder recovered what he 
calls The Code Alphabet (see illustration). And so he was then able to 
set to work, at what must have been a very tedious and difficult task, 


deciphering the entire texts of the Journals. They take up 438 typeset 
pages! 


No mention will be made here of the contents of the Journals, since they 
are not of cryptographic interest. But you may read the illustrated 
text. What did interest me was the fact that here was yet another cipher 
of literary/historic importance, undeciphered until quite recently, and 


Never submitted to the cryptanalytic community for attempted decipherment. 


Probably quite a number. 


that really should be solved. 


with mathematical solutions!). 


we're not obsolete after all. 


Warne & Co. Ltd., London. 


Photo courtesy of Frederick 


CRYPTOLOGIA 


How many more such documents are there, still waiting to be cracked? 


Even so fascinating and frightening a case as 


Zodiac, just a few years ago, presents us with still uncracked messages 
And this kind of cipher requires the 


paper-and-pencil technique (unless, oh mathematicians, you can come up 


So, fellow dinosaurs, rejoice, rejoice, 


ANAKAN G/U FOR Peia et FC da 
eene mey, af m 4 
PLO KYW DOTHA AE i m AMO 


974147 UNIEN tae. naag Raia emer “ile 


ma anny se 


LWA PINA, 10 te U. tah AO PAUMO NJAO 


OUIA HY. iN PANA. 


A6 app Prana. 44 MUVA AUAMK CEO DRIVE 


enam, yiwi 


arat Y etidi tut tomer 


loumo, NNAM) th wercmepo NÉ at MAd 


"v hawt n $ Jack J masr curi en 


fa44^ a^ OCOLATOLEMAO Mitt NAMI MTAWT 
ame mariem emtia 


CU 


02472017, 
map carmino om 7e Dan id OP. 


Mate Beene 


VAT ec UAN hw TUMON ainar Njanmeo 
la dras - 
a% L4? ajá x AE CGU] BOOM es a 


Uwe tet € HA nat th YM at 5 


“ao. 


Au 
Veo O (uuo ug s 
TOK Amteeie a 


FUGIT UOCA - 

Pan 7 teun ME p ci u^ 
a some amoa mainat ttio 
d GU PUDE MERLO) 


BOUT. 


ean 


E tamant Ge coem am (Duce 


hs ont 
a» ÜCVO/PLÓT bl ate rar RusoAAUP CO 
heen part Ack om g aor 


CMA NOL Ue ey)urve7MO UC appe GOLOM 
tat un JUAL GIAA la LmtmLAUILAAILUC s 


maimo Cea 
HOA up mt a 


The code-writing of 1881 


Page 1 of her visit to Hunt & Roskell, beginning 
“Friday November 4/81. We went to Hunt & Roskles . . .' 


Note. The lines under H and R indicate capitals, also the 
name Roskell is wrongly spelt. In the second line she has 
added the letter | to the word silver. 


January 1977 20 


"CRACKING" A RANDOM NUMBER GENERATOR 


James Reeds 


The purpose of this note is to illustrate how the ordinary standards of 
randomness have little to do with the type of randomness required for 


cryptographic purposes. That is, there are really two standards of 
randomness. 


I. Consider the usual standards for random number generators. Here the 
general idea is that standard techniques of statistical analysis are not 
able to discriminate between the sequence of numbers generated and a se- 
quence of independent uniform deviates from the unit interval. Thus, 

x2 tests, autocorrelation functions, and correlation coefficients are 
used to judge the random number generator in question. These are dis- 
cussed at length in [1]. The point of this standard is that acceptable 
random number generators should be suitable for "Monte Carlo" applica- 
tions. 


II. On the other hand we have the standards of cryptography. For crypto- 
graphic purposes the matter of predictability is exceedingly important. 
If, after examining, say, a sequence of four random numbers, one is able 
to predict the fifth (and all subsequent) numbers, then that generator is 
useless for cryptographic purposes. In predicting the next number we are 
allowed to examine the low-order bits (or digits) as well as the high 
order bits. As a result, the "rule" which predicts the next number may 
be "discontinuous", and’ thus not be discovered by the standard statisti- 


cal methods used to evaluate "randomness I" properties of a random number 
generator. 


As an illustration of what I mean, let us examine a "typical" cryptographic 
example. Let us say that a secret message has been prepared by convert- 
ing the letters into digits, following the rule A=01, B=02, etc., to 2-26. 
Then the successive digits are added, modulo 10 to the successive digits 


CRYPTOLOGIA 


of the output of a "linear congruential" random number generator. The | 
correspondents have previously agreed upon a "modulus" M = 8397, a "multi- 
plier" a = 4381, and a constant term b = 7364, That is, if Xn is the 


n-th random number, the next is given by the rule: 


X = 4381 x. + 7364 (modulo 8397). 
n*l n 

(I chose these three numbers entirely at random, insisting only that they 

have four digits. The reader will see how the analysis given below is 

general and will apply to other choices of M, a, and b.) 


Let us assume further that the correspondents have agreed (ahead of time) 
to encipher this message by starting up the random number generator with 


the "initial key" of X9 = 2134. With the generator given above, we get: 


Xo = 2134 X4 8295 Xg = 7907 X19 = 7648 X16 = 6636 
x, = 2160 Xs = 5543 X = 0766 X13 7 0825 Xi; * 0869 
x) = 6905 X6 7 7123 Xio* 3231 X14 7 2582 Xig = 2215 
XS = 3778 X, = 1578 Xy 1865 Xis 7 8347 X19 = 4347. 


These successive digits (starting with SE 2160, 6905 etc.) are added 


(modulo ten) to the message digits to get the cryptogram 


plain text 5 E C R "B "Y" ae Se OR A 
plain text digits 19 05 03 18 05 20 20 18 05 01 20 25 
key digits 21 60 69 05 37 78 82 95 55 43 71 23 
cipher text 30 65 .62 13 32 98 02 03 50 44 91 48 


S "p: GN Bod- Boo) CA aR b SS Tola nor Be 
19 09 07 14 05 04 02 25 16 01 11 09 19 20 01 14 01 14 04 


24 77 76 11 02 60 34 56 24 66 87 47 17 45 26 96 84 51 60 


09 19 18 01 05 12 
36 08 69 22 15 43 


23 


10 55 


January 1977 22 


Now, it is not suggested that the preceeding cipher system is a good 
system, or an especially practical one, or a widely used one. I show 
below why it is not a good system, and I doubt if it is widely used. The 
point is that very similar systems might well be in use in computers. 

The "linear congruential" random number generator is by far and away the 
most popular generator in the computer world, and similar cipher systems 
(based on bits, not digits) might well be used with computers. In such 

a computer system the correspondence between letters and bits is provided 
by one of the standard codes: Baudot, ASCII, or EBCDIC. 


Let us now assume that this message is intercepted by a cryptanalyst. He 
does not know the starting random number Xo» nor the modulus, nor the 
multiplier, nor constant terms, M, a, and b. What he does know (from the 
study of similar messages) is that the numbers are 4 digits long. Further, 
he suspects that the word "Pakistan" occurs in the messages. He uses the 
probable word method to recover the key digits, and mathematical analysis 
to reconstruct the generator. He tries to fit the word "Pakistan" in at 
the beginning of the message, gets "false" key digits, and hence the wrong 
generator. This wrong generator does not yield any intelligible text, so 
the cryptanalyst tries another place to fit "Pakistan" in. Place by place 
the analysis is followed, and time after time no intelligible text is pro- 
duced. Finally, however, "Pakistan" is fitted into the correct place, 

and at last the "true" key digits are produced. The analysis is as 
follows: 


The cipher text has been lined up with the digits for "Pakistan", and the 
probable word has been subtracted out, modulo 10: 


cipher text : 24 66 87 47 17 45 26 96 84 51 60 etc. 
probable word : 16 01 11 09 19 20 01 14 


key : 18 65 76 48 08 25 25 82 


By blocking off digits by fours from the beginning of the message we get 
four consecutive 4 digit numbers: 1865, 7648, 0825, 2582. The crypt- 


analyst tries to recover the entire random number generator from these 
data. 


CRYPTOLOGIA 


It is clear that the modulus M is at least as large as 7649 (and, by the 
rules of this cipher system, no greater than 10,000). Referring back to 


the equation defining the "linear congruential" system, we get: 


7648 = 1865 a + b (modulo M) (1) 
825 = 7648 a + b (modulo M) (11) 
2582 = 825 a + b (modulo M) (III) 


Take equation I and subtract it from II and III, to get: 


-6823 = 5783 a (modulo M) (IV) 
-5066 =-1040 a (modulo M) (V) 


Thus, b is eliminated from these equations. Now we try to eliminate a. 
We can find no common factor (other than 1 and -1) of the two numbers 
5785 and -1040, so in order to eliminate a from IV and V we have to mul- 
tiply IV by 1040 and V by 5783 and add the two together. 
Thus, we get: 

-36,392,598 2 0 (modulo M) (VI) 


This lets us say that M divides 36,392,598, and, if we list all the 
divisors of this large number, M will be found among them. So we must 
factorize the number N - 36,392,598. (This can be done automatically on 
a computer, but it is fun to do by hand.) First off, it ends in an even 


digit, so we can divide out 2: 


N = 36,392,598 = 2 * 18,196,299. The sum of the digits is 45, 
so 3 divides N: N=2+ 3° 6,065,433. Again, 3 divides 6,065,453: 
N2=2-°3-° 3 + 2,021,811, and again: 
=2:+3° 3+ 3 * 673,937. Now we try trial 
divisors of primes higher than 2 and 3: 5, 7, 11 etc. We find 5 and 7 
don't divide 673,937, but 11 does: 

N=2.- 33+ 11 * 61,267. We try 11 again, and 
all of the primes lower than the square root of 61,267, i.e., less than 
247. We find that the lowest prime divisor of 61,267 is 197, which goes 
in 311 times. This last number is (by reference to a table of primes) 
seen to be a prime, and so we have 


N=2.- 35+ 11+ 197 . 311 


January 1977 24 


as the complete factorization of N. There are 64 possible divisors, but 


many are too big (i.e., larger than 10,000), and others are smaller than 
7649. 


Look at Figure 1, a table of size 8 x 8, showing all the possible divisors 
of N: 


Values of B 
1 2 3 2*3=6 33-9 23.3218 3*3*3-27 2+3+3+3=54 

Values of A 1 
11 

197 

311 

11*19722,167 

11: 311=3,421 

197+ 311261,267 


11*197- 311=673,937 


FIGURE 1 


A possible divisor is formed by picking a cell, and multiplying the num- 
bers A and B standing at the ends of the row and column that meet at the 


cell in question. This product may be entered in the cell. 


Before we begin, we see that we may rule out many entries in the last two 
rows in the table, because these products will be greater that 10,000. 
X 2 3 6 9 18 27 54 


B « 7,649 


B » 10,000 


FIGURE 2 


CRYPTOLOGIA 


We similarly rule out the Fa cross hatched regions (A:B is too big) and 
the stippled regions (A-B is too small). In fact, there is only one 
divisor of N left (in the range 7649 through 10,000), and it is 27-31l= 


8,397. This is thus the only candidate for M. 


Referring back to the original generator, we see that this is indeed 
correct. We can now try to solve equation IV for a: 

-6823 = 5783 a (modulo 8397) 
Without going through the calculation, we can check to see if this is in 
fact solvable. If 5,783 has no common factor with 8,397, there is a 
unique solution. Well, 3 doesn't divide 5,783, and neither does the prime 
311, so they are in fact relatively prime, and thus a unique solution 
exists. (It can be found by application of Euclid's algorithm for finding 
the G.C.D. of two numbers.) 


Once a is found, the cryptanalyst can solve equation I for b: 


b 


7648 - 1865 a (modulo 8397). 


At this point, the cryptanalyst has recovered the generator, and he can 
crank out the next several numbers to decipher the words following 

"Pakistan". He finds, of course, "and Israel". This makes sense (lin- 
guistically, if not politically!) and the cryptanalyst knows he has the 
right key. Since a = 4381 is relatively prime to M = 8397, the random 
number generator may be "cranked" backwards to yield the previous parts 


of the keying sequence, and the whole message may be read. 


This may all, of course, be done automatically on a computer. The com- 
puter will try a probable word in each of the possible places it could 
fit in the message, go through the calculations outlined above very 
rapidly, and then print out a portion of the resulting supposed plain 
texts. The cryptanalyst could quickly scan the list of trial decipher- 
ments and pick out the correct one. Of course, if such a method of 
encipherment were ever to be used, it would be based on much larger 


numbers: of 10 instead of 4 digits, and its decipherment would be a 


January 1977 26 


bit more difficult, especially at the factorization step. But this is 
nothing a good computer could not handle. 


Thus, we've seen how "linear congruential" random number generators are 
unsuitable for cryptographic applications. The method presented above is 
applicable against any linear congruential generator, and is not affected 
in the least by whether or not the generator is judged highly random or 
not by "standard I" criteria mentioned at the beginning of this note. 
Moreover, the general idea of the analysis presented in this note may be 
carried over to other random number generators, including the "squaring 
the middle half" and "shift register sequence" generators, for instance. 
That is to say, cryptography has its own standards of randomness, which 


do not necessarily coincide with the more usual standards. 


References 


1. Knuth, Donald E., The Art of Computer Programming, Vol. 2, Semi- 
numerical Algorithms, Addison-Wesley Publishing Company, 
Reading, Mass., 1969, pp 1-99. 


CRYPTOLOGIA 


THE BIGGEST BIBLIOGRAPHY 


David Kahn 


David Shulman. An Annotated Bibliography of Cryptography. Garland 
Reference Library of the Humanities, Vol. 37. New York and 


London: Garland Publishing Co., 1976. xvi*372 pp. illus. $35.00. 


If I were to review David Shulman's bibliography of cryptology in the 
way that he comments on the works he lists, I would say something 
like this: 


This book is laden with faults, both great and small. It 

omits some major works while including many that have noth- 

ing to do with secret communications. It does not list 
printers or publishers. It does not annotate any of the 
major and many of the minor works of cryptology. It makes 
far too many errors of detail. It is inconsistent. But 
it is admittedly the most complete bibliography of its 
subject ever published. 


In other words, Shulman's bibliography, though the best ever, suffers 
from far more flaws than one may reasonably expect in a work of this 
nature. How this happened can best be understood by answering two 
questions: Who is David Shulman? and How did he compile his biblio- 
graphy? 


David Shulman, a semi-retired puzzle editor, is a man of medium height, 
a bachelor, a tennis player, who, unlike many of the other collectors 
of books on cryptology whom I know, never gives away an item or ex- 
changes on a general basis, but always sells his books for profit, and 
who, on the other hand, coaches a basketball team of slum youths. He 
lays little store on social niceties and seems impervious to criticism. 
His knowledge of bookish resource tools exceeds that of most librarians, 


but his discussions and conversation appear to me to be characterized 


January 1977 28 


by disconcerting non-sequitors. 


He became interested in cryptology and puzzles in the 1920s through the 
"Red Magic" columns in the great New York newspaper, The World. He 
joined the National Puzzlers League and in 1932 became an early member 
of its offshoot, the American Cryptogram Association. "During the De- 
pression," he said, "I always did & lot of studying at the library, 
especially at the New York Public, while going to college. I saw the 
very fine collection [of books on cryptology] they had and I really 


wanted to keep a record." This may be regarded as the kernel of his 
bibliography. 


It gained impetus through the kindness and interest of a Philadelphia 
man, W. D. Witt, who had a good collection of books on cryptology. He 
corresponded with Shulman, increasing Shulman's interest in the liter- 
ature of the subject. With his help Shulman began assembling books on 
cryptology, and after his death bought some of his books from the book 
dealer who had obtained the Witt collection. These formed the nucleus 
of his own collection. Today it is, in the field of printed books, 
probably one of the finest in the world. 


The acquisitive interest impinged upon the bibliographical, and impelled 
him further to learn more about the literature. He began to see the 
need for a bibliography when he first saw William F. Friedman's short 
list in his Riverbank Publication No. 18. "I realized he must have 
missed a lot," Shulman said. "Gylden's bibliography [300 items in 
Locard's Traité de criminalistique, 1951] was very impressive but he 
also missed a lot of early books. Volts's really got me going because 
his was so poor." He refers to James D. Volts's 18-page effort of 1938. 


In World War II, Shulman served as an Army cryptanalyst, which gave him 
some practical insight in the field, though it seems to have benefited 


his bibliography only indirectly, not directly through new titles. He 


CRYPTOLOGIA 


resumed his work on it after the war, and when I first came to know him, 
through my joining of the New York Cipher Society in 1946, I soon 


learned of it. 


During the next 30 years, as Shulman supported himself as an editor of 
circulation-building contests for the Hearst publications, as a colum- 
nist on puzzles for the New York World-Telegram and for King Features, 
and as a dealer in cryptologic and puzzle books, the bibliography con- 
tinued to grow. In the years that I was researching The Codebreakers 
and then other writings, I would run into him two or three times a 
week in the high-ceilinged main catalogue or reading rooms of the New 
York Public Library. He only appeared in the afternoons, but in every 
season. On gray winter days, or in the summer when the warm sunlight 
streamed in through the great western windows and flashed off the var- 
nished oak tables, Shulman, wearing his blue windbreaker or a short- 
sleeved shirt, would be bent over some book, peering closely at it 
through his glasses. He would then copy some citation in his large, 
clear hand onto one of the pink or green or white three-by-five inch 
paper slips that he carried in his breast pocket. When, at a tray of 
catalogue cards, he ascertained that the library did not have a work, 
he would note "--NN" at the foot of a slip -- a dash, a minus sign, 
and the Library of Congress symbol for the New York Public. I often 
felt that his work was hasty, not rapid, and inefficient. Many is 

the time that I brought him some item that I had discovered in my re- 
searches; he never read it then and there, but would merely note the 
reference, and then would call for it on his next visit, a procedure 
that seemed to me to be unnecessarily time-consuming. It seemed to me 
that he was always rushing on to the next entry and never dwelled long 
enough on one to get enough out of it for a decent annotation. After 
he had finished with his pile of books, he would snap a rubber band 
around the pack of slips, take off his glasses, and vanish out the door 
by about 4 p.m. to beat the subway rush hour back to his home in Brook- 


lyn. I have never been to his home, nor seen his collection. 


January 1977 30 


Not all of this work was for the bibliography. Some was for his live- 
lihood, of course. But much, too, was for a remarkable literary con- 
tribution that puts everyone in the English-speaking world in his debt. 
Shulman collects quotations exemplifying the use of a word for the new 
Supplement to the Oxford English Dictionary. Many people do this, but, 
the editor, Dr. Robert Burchfield, told me, Shulman's figure of 5,000 


citations is about tied with only one other man's as the most used in 


the supplement. In part this is because Shulman's citations always give 
full bibliographic data and are checked against the original O.E.D. to 
make sure that his antedate its. "We use almost all of his," Burchfield 


said. And his name is enshrined in the preface to the first volume. 


Shulman's extraordinary familiarity with bibliographic tools greatly 
increased the range and depth of his listings. .But no man has the time 
to search every index. Yet it sometimes seems, from the unusualness of 
some of his entries, as if Shulman had. Where, then, did he find all 


of the works he cites, especially some of the obscure and out-of-the- 
way ones? 


Most came from references in other books on cryptology. Many came from 
friends. Louis Kruh passed along numerous items from his wide reading 
in fields different from Shulman's customary haunts, and in my travels 
throughout Europe I would frequently stop in at major libraries to see 
what they had, since libraries emphasize different things in their 
collection and often catalogue things differently. In Munich, once, 

my wife walked around town with her father while I spent the afternoon 
in the Deutsches Museum deciphering, with the help of a librarian, the 
Gothic handwriting in which the card catalogue listed the many items 
from German business magazines of the 1920s describing the new Enigma 


cipher machine. (Some of these appear on pages 87 and 88 of the bib- 
liography). 


But a goodly number of Shulman's "firsts" do come, in fact, from his 


CRYPTOLOGIA 


painstaking check of dozens of promising indexes. He examined the 

annual ones of military magazines, for example -- a job more burdensome 
than it at first appears, for not only must one look under "cryptography," 
but also "cipher," "code," "secret writing," "signalling," and others. 

In thinner areas, as general-circulation magazines, he checked the ten- 
year indexes. All of this patient work bore fruit in the many pre- 


viously unknown works that he has discovered. 


In compiling his bibliography, with its frequent additions, it would 
seem easier to have kept it on cards. But Shulman apparently felt that 


only as a manuscript of 8 1/2-by-1l-inch sheets with several items per 


page was it a "real" book. This required, however, repeated retypings 
for new entries. (Shulman estimates that he has retyped the manuscript 
ten times. The work was published by offset lithography from the last 
retyping.) The natural disinclination to retype yet again has, I be- 
lieve, deprived the reader of two benefits. One is recently-discovered 
items. For example, in 1970, Dr. Walter HÜflechner of Graz, Austria, 
published an important study on Cicco Simonetta's l5th-century treatise 
on cryptanalysis in the Mitteilungen des Üsterreichischen Staatsarchivs. 
But to insert it would have required retyping six pages of manuscript. 
It is not in. There are many other cases. The other benefit which 
Shulman's predilection for full pages has cost the reader is newer in- 
formation on older books. For example, in his comments on the important 
Bellaso work of 1555, he says "See Meister, p. 36-37 and Wagner for 
comments." The Codebreakers takes into account these two studies, one 
of 1906 and one of 1888, as well as later work, so is more up to date - 
to say nothing of being in English. But citing it would have meant re- 


typing a page, and the reader again loses. 


All this explains, but does not excuse, some of the faults of the bib- 
liography. Nor does it exhaust them -- not by far. Some are serious, 
some trivial. All are irritating. They are of three kinds: omissions, 


errors, and inconsistencies. 


January 1977 32 


Most prominent, in a bibliography that aspires to completeness, are its 
omissions. I do not mean the minor and obscure works that have escaped 
Shulman's attention, though there is a host of these: R. H. Hallamaa's 
Salakirjoitustaidon Perusteet (Helsinki: Tekiian KustantYma, 1937), 
Leopoldo Espinos Valdez's "La Escrita Secreta" (Guanajuato [Mexico]: 
Imprenta Económica, 1937), the discussions of commercial codes and con- 
densers mainly in the 1920s by Lorenz, Grünspan, Kerb, Moellenberg, 
Werder, Volker, KUhler, Hennig, Neuhaus, Lavelsbergh, Mahlberg, Tindl, 
and WitthÜft, the many references to secret ink in Chemical Abstracts, 
the articles on ciphers used in Switzerland by Henry Biaudet in the 
Suomalaisen Tiedeakatemian Toimituksia in 1912 and by Pierre Speziali 
works of varying types. Such omissions are bound to happen, particu- 


larly in a field like cryptology, in which various libraries shelve 


books on it with bibliographies (if they use the Library of Congress 
system), with business writing alongside of stenography and how to write 
business letters (the Dewey Decimal System), or -- depending upon the 
main thrust of the work -- with history, war, espionage, science, math- 
ematics, or linguistics. Rather I refer to the major works that have 


somehow eluded a man who, quite simply, should have known better. 


One of the most famous ciphers in the world is Francis Bacon's bilit- 
eral cipher. Shulman enters a 1505 book of Bacon in which he hints at 
this cipher, but inexplicably does not list the 1623 De dignitate et 
augmentis scientarum (later translated) that describes the cipher in 
detail. It's not as if this book is obscure: it founded modern 
scientific method. 


Shulman publishes a picture of G. F. Grotefend, the first decipherer 
of cuneiform. But one searches his bibliography in vain for any ref- 
erence to any writing of the Göttingen schoolteacher. In fact, his 

analysis was first published as an appendix in a work by his friend, 


Arnold Hermann Ludwig Heeren, a professor at the University of Göttingen, 


CRYPTOLOGIA 


of which an English translation is Historical Researches into Politics, 
Intercourse, and Trade of the Principal Nations of Antiquity (Oxford: 
D. A. Talboys, 1833), 3 vols. Grotefend's "On the cuneiform character, 
and particularly the inscriptions at Persepolis" appears in Vol. 2, 
pp. 313-60. 


One book on cryptology, and one alone, has caused international reper- 
cussions. Herbert O. Yardley's disclosures in The American Black 
Chamber of how his solution of Japanese codes had led to an embarrassing 
restriction on the size of the imperial navy created a wave on anti- 
American feeling when the book was published in Japan and perhaps even 
helped fuel the attack on Pearl Harbor. Yet though Shulman mentions the 
unimportant French translation, he says nothing about the epochal 


Japanese one. 


Cryptology today has become virtually a branch of applied mathematics. 
But Shulman does not give the first known work on algebraic cryptology - 
that of F. J. Buck in 1772 - though it is listed in Maurits de Vries' 


bibliography (which, incidentally, Shulman does not cite). Nor does he 


include more than a reference or two in what is now the liveliest and 
fastest-growing area of cryptology: data encryption. This seriously 


impairs the current usefulness of the work. 


Perhaps the most serious of all these omissions is that of an entire 
group: the classical writers -- Herodotus, Plutarch, Suetonius, and 
others -- who have transmitted to us our knowledge of the cryptology of 
antiquity, such as the skytale and the Caesar cipher. The same goes 
for medieval writers, such as the encyclopedist Isodore of Seville and 
the great, mysterious Roger Bacon. Shulman told me that because their 
writings antedated the invention of printing, he could not decide where 
to put them and so excluded them. But surely this problem is not in- 
soluble, especially in a bibliography that includes a section for manu- 


scripts. 


January 1977 34 


In far too many cases, Shulman fails to annotate the more important 
works. He does not tell us what is in the works by Alberti, Bellaso, 
Porta, Kercknoffs, Bazeries, and many other great names of the science, 
or even that they are the landmarks of what is for many a terra incog- 
nita. On Trithemius, author of the first printed book on the subject, 
he gives a long list of locations of copies -- all quite valuable -- 
and a description of the woodcuts, but says nothing at all about its 
contents, or its importance. Yet this is a basic task of the biblio- 
grapher! Similarly, he does not summarize the contents of many lesser 
works. For example, under Neyron, Principes du droit des gens, he says 
only "See article ix, p. 160-71. Includes a folding chart." Why 
couldn't he have told us what was in there, since he presumably saw it? 


It would have saved us so much time. 


On a technical level is Shulman's omission of printers and/or publishers. 
Ronald B. McKerrow says, on page 146 of his standard An Introduction to 
Bibliography for Literary Students, that "The usual bibliographical de- 
scription of a book includes the following: 1. The title, copied from 
the title-page more or less minutely and fully according to the purpose 
of the description, but always giving the place or printing or issue, 


the name of the printer and publisher, and the date, or as many of these 


particulars as are found there...." Shulman says that because he did 
not include these at the start, he never did, to maintain consistency. 
Consistency is in general a valuable characteristic of bibliographies, 
but in this case it has indeed proved a hobgoblin. It would have been 
far better to include some information inconsistently rather than none 
consistently. In any event, a kind of uniformity could have been at- 
tained by giving publishers for, say, all works after 1945. Shulman's 


failure here flaws his bibliography in a fundamental way. 


Shulman often concentrates more on a book's physical description than 
on its content -- he will note erroneous page numeration, for example, 
while saying nothing about the work's contribution. His technical 


faults glare in this context. Trithemius, the author of the first pub- 


CRYPTOLOGIA 


lished book on cryptology, wrote another on the subject that was not 
published until 90 years after his death. Shulman does not even honor 
this work with its full title. He fails to indicate that the 1603 
edition of Porta's work, with its important additions, is the author's 
own revision. Both editions of the excellent little work of John Fal- 
coner give the author only as "J.F." Shulman nowhere indicates this. 
He sometimes gives the titles of Russian works, not in transliteration 
of the Cyrillic characters, but simply in English translation, an un- 
Scientific approach that increases the difficulty of students who might 
want to consult the original. He sometimes does not give the title of 


encyclopedia articles. 


But faults of omission do not obtrude as much as those of commission. 
And these outright mistakes blotch far too many pages of the book. 


On pages 5-6, he says that Blaise de Vigenére's Traicté des Chiffres 
contains "what is popularly known as the Vigenère cipher, the most 
popular of all periodic cipher systems." Charles Mendelsohn laid that 
canard to rest in 1939. On page 19, Shulman remarks that John Wallis's 
Opera Miscellanea "is said to contain an article on ciphers." The 

title is Opera Mathematica et Miscellanea and it contains only a crypto- 


gram -- not even Wallis's solution. On page 98, he says that Yves 
Gyld&n was on the Swedish general staff. He was a civilian. On page 
III:111, he cites Gabrielli as the author of "many books on Florentine 
cryptography." The name is Gabbrielli and the "books" are merely his 
reconstructions of Florentine Renaissance nomenclators. On page 126, 
Shulman says that Uomini ombra "explains Italian ciphers in WWII." It 
reports the Italian navy's attempts at solving Allied ciphers. On page 
I1:2, he suggests that a publication reprinting letters of Charles I 
taken after the Battle of Naseby "may be the letters as deciphered by 
John Wallis." They are not. On page 123, he lists "Miguel Gomez Cas- 
tillo" as an author. The man's name is Miguel Gomez del Castillo. On 
page 89, he cross-references from the Lange and Soudart citation to a 
book by Ruchti. But Ruchti is talking, not about André Lange, the 


January 1977 36 


Frenchman, but André Langie, the Swiss. On page 130, he alleges that 
the cryptography of Arabic Tax officials, the qirmeh, is "of Coptic 
origin." It had nothing to do with Coptic. And so on, and on. 


Now a bibliography frees its compiler from the most difficult task 
faced by a writer, namely, deciding what his material means. It lets 
him concentrate solely upon gathering his information, checking it, 
and arranging it. One therefore expects a higher standard of accuracy 
and consistency in a bibliography than in, say, a history. But just as 
Shulman has omitted works and comments and erred too often, so he has 


failed in the logic and discipline of his organization. 


In his Bibliographies, Subject and National: A guide to Their Contents, 
Arrangement and Use, Robert L. Collison says, "The best bibliographies 
are notable for their consistency of purpose and treatment: the details 


are given in the same order and form throughout -- which facilitates 
easy reference -- and the contents and arrangement are based on an idea 
which is a real contribution to knowledge." But An Annotated Biblio- 


graphy of Cryptography is notable more for its inconsistency, which 
wastes the reader's time. 


The most incisive example comes on page 32. Shulman enters an article 
proposing 18 challenge cryptograms and lists the periodical as The 
Quarterly Journal of Science, Literature and the Arts. The next entry 


and a succeeding one list articles on the solutions and a prize. Their 


publication is given as The Quarterly Journal of Science. At once the 


reader asks the question, Is it the same magazine? Presumably it is. 
The volume numbers suggest it. But the reader does not know for sure, 
and to find out each person wanting to read these articles will have to 
check it out independently to be sure. Assuming they are the same, why, 
one wonders, has Shulman abbreviated the titles in the second and third 
cases? It irritates the reader and dissipates his energies, all for the 
saving, on Shulman's part, of perhaps 30 seconds. (To whet great pur- 


pose, I wonder, did he devote them?) This is a perfect instance of the 


CRYPTOLOGIA 


sort of sloppiness and laxness that one does not expect in a biblio- 
graphy but that one finds all too often here. 


Shulman divides his listings of printed works into a Part I, "A chrono- 
logical list of books and magazine articles from 1518 to 1976," and a 
Part II, "A chronological list of items that relate indirectly to 
cryptography." He has told me that he put into Part I works that in- 
clude actual examples of ciphers, and in Part II works that merely re- 
ferred to cryptology. But he very often violates his own rule. He 
assigns the memoirs of the chief of the French military radio intelli- 
gence section, General Frangois Cartier, to Part I, though they include 
no actual ciphers, while he relegates F. W. Winterbotham's The Ultra 
Secret, which likewise has no actual ciphers but whose disclosures make 
it one of the major works in the cryptologic canon, to Part II. He 
distributes articles on secret languages and invisible inks indiffer- 
ently into both parts (pages 115 and 11:25; pages 100 and 11:25). A 
good example of this illogicality appears in his comment on William F. 
and Elizebeth S. Friedman's The Shakespearean Ciphers Examined: "Be- 
cause of the cryptographic excellence of this book, it is included in 
this section of the bibliography. All other cipher material on the 
Baconian theory will be found in the second part." But it seems to me 
that the excellence of a book should be expressed by its annotation, 


not by promoting it to a different part of the bibliography. 


The inconsistency of the bibliography extends beyond its arrangements 

to its contents. It includes many works that do not belong. The 
Baconian craziness is one such category: several very complete bib- 
liographies of it already exist, and Shulman's few listings add nothing. 
Others that do not belong are the works on whistle languages (pages 
II:24 and 11:25), on binary encodings (page 131) and on espionage, 
about which he sometimes concedes "Nothing on ciphers, but of general 
interest" (page I1:80). So what in the world is it doing in a biblio- 


graphy of cryptology? 


January 1977 38 


Again, in the field of non-printed works, Shulman lists a number of 
Manuscripts on cryptology. This is valuable. But he also lists a 
‘number of manuscript letters in cipher. Here angels should fear to 
tread. For the few enciphered letters that he picks out are merely the 
tip of an iceberg awesome in its volume. The Bibliotheque Nationale in 
Paris, for example, has hundreds of volumes of catalogued letters in 
cipher, sometimes with, sometimes without their keys, and probably 
dozens more uncatalogued. I shall never forget my surprise when, leaf- 
ing through the thick, dusty volume in the manuscripts division that 
had François Vi&te's solution of a cipher of Philip II of Spain, I 
found it filled with letters in Renaissance cipher symbols, undeciphered, 
the ink browned, a forgotten historical treasure. I had never sus- 
pected that so much cryptologic raw material existed, and I wondered 
how much more stood on the shelves of the world's great libraries. If 
Shulman wanted to wade into this quagmire, he should have cited, not 
just a few individual letters, but the manuscript catalogues of the 
major libraries. If he did this, however, he should also have listed 
the material on cryptology in the public archives of the world. This 
would include not only the quantities of cipher keys in, to take just 
one example, Sweden's Riksarkiv, but also the volumes dealing with the 
interception of foreign messages in, to take another case, Austria's 
Haus-, Hof- und Staatsarchiv. But such a catalogue would have outrun 
anyone's expectations of a bibliography. I mention it here not to 
suggest that he should have done it, but to show why he should have 


purged his bibliography of elements that might have raised false ex- 
pectations. 


The same thing may be said of his reprinting of a list of cipher patents 
that Howard Oakley issued, with a one-word description of each mechanism, 
around 1959. Aside from mentioning the inventor in nine cases, Shulman 
gives us none of the description. Moreover, the list stops with Patent 
No. 2,624,958. Yet patent numbers today are approaching 4,000,000. 
Shulman has thus omitted all of the most recent patents on cryptology 


and at least a third of all ever issued. The most ironic thing is that 


CRYPTOLOGIA 


the Patent Office will issue upon demand a complete list of all patents 
in a particular class and subclass. So a better way would have been 
for Shulman simply to list the subclasses that incorporate cryptology. 
It is not feasible, however, to have expected him to include a descrip- 
tion of every patent. This would no doubt be extremely helpful, but 
the work involved is enormous: I know, for I tried it once for three 
or four days down in the Patent Office. Aside from the very great 
number of patents, with the more complicated mechanisms it is often 
difficult to tell what kind of cipher they produce simply from the 


description. 


Such, then, in my opinion, are the chief faults of this bibliography. 


But a few other comments need to be made. 


Some of the users of the bibliography with whom I have spoken about it 
have complained to me about its chronological arrangement. They feel 
that an alphabetical one would be preferable, since they usually want 
to look up an author, which in Shulman's work requires first finding 
his name in the author index. The users have also criticized this in- 
dex for giving, not the page of the bibliography on which an author's 
work appears, but the year, thus often requiring the user to leaf 
through several pages to find the work, and to go through them all a 
second time if he does not find it the first. I agree that both criti- 
cisms are valid. In a science as full of regressions as cryptology, a 
chronological arrangement contributes little. Had Shulman done the 
work of listing author entries in the index by pages, he would have 
saved his users a great deal of time. But somehow these faults do not 
annoy me much. I see the arrangement as a legitimate one and as easier 
to supplement, and the index entries as sacrifices to the rush to get 
out the book when Shulman found a publisher and as enforcing an enrich- 


ing browsing. 


Reviewers seldom discuss the tone of a bibliography. But that of 
Shulman's is so striking that one cannot pass over it. It is often 


quirky, boastful, and mean. 


January 1977 40 


In a work that is generated by the most refined tools of scholarship, 

it is utterly inappropriate and incongruous to come across a critical 
annotation on the juvenile by Bernice Kohn that states, in part: "With 
a name like Kohn, she should have consulted the excellent work of Kahn." 
Nor does one expect the irrelevancy one finds under Abram Colorni. 

"The printer's name [Giovanni Sciuman] I thought was the earliest exam- 
ple of my own name, Shulman, that I have been able to trace, but I have 


since found an earlier example." The mind simply boggles in amazement 
at this kind of stuff in a serious book. 


Shulman often brags of his own small successes. Under Paul Friedmann, 
for example, he says, "David Kahn, The Codebreakers, p. 1118, reports 
no biographical data in NN, but my article in the Cryptogram, Sept.- 
Oct. 1970, p. 91, 95, and 99, disproves that." This is but one example 
of several. On the other hand, he grudges credit to others. To again 
take just one example of several, he carps about Joseph S. Galland's 
pioneering bibliography, which proved so valuable to so many students 
during the 30 years that Shulman was not publishing his own and still 
is more useful than Shulman's on many points: "This is marred by such 
glaring errors as the inclusion of books on gems and abbreviations in- 
dicating that the compiler did not take the time to check the contents 
of the books he listed." We have seen how Shulman is himself vulnerable 
to similar charges. What is sad about this is that Shulman has for- 
gotten to honor his teachers and predecessors; he has not shown the 
humility that a genius (Isaac Newton) could: "If I see farther than 
others, it is because I stand on the shoulders of giants." 


Three minor points ought to be cleared up. Why the use of the word 
"cryptography" in the title of a work that deals with both cryptography 
and cryptanalysis? Shulman says that the publishers insisted on the 
word "annotated" in the title, and he himself then used "cryptography" 
instead of "cryptology" to avoid confusion with Galland's An Annotated 


and Historical Bibliography of the Literature of Cryptology. I person- 
ally think the decision is to be regretted, as it will slow acceptance 


CRYPTOLOGIA 


of the valuable term "cryptology" to mean both cryptography and crypt- 
analysis. Shulman frequently refers to the Bibliothèque de Sainte- 


Genevieve without ever saying where it is. The correct name is 
"Bibliothèque Sainte-Geneviéve"; it is a library of the University of 
Paris and is located on the Place du Panthéon. He also refers frequently 
to the "A.R.C." This means the Bulletin of the Amicale des Réservistes 


du Chiffre, a privately-issued periodical of French army reservists. 


But is there nothing positive to say? Has the bibliography nothing 
worthwhile about it? There is, and it has. It just takes longer to 


explain why something is wrong than simply to say, "Good show!" 


Shulman's bibliography is a most useful work. Its good outweighs its 
bad. It will help many people to pursue the study of cryptology. It 
will aid book collectors. Its annotations will inspire investigations 
of many curious nooks, such as the systems proposed in the middle 1800s 
to encrypt messages -- especially between lovers -- on the newfangled 
postal card and the diplomatic pornocipher of a regent of France (pages 
II:12 and 11:69, if you're interested). Shulman brings to light many 
unknown items that would otherwise have lain forgotten in the library 
stacks of the world. I knew of several articles on ciphers in the 
classified columns of the London newspapers; Shulman has found several 
more, which I look forward to using as the basis for an article. Each 
user will find his own nuggets. I want to read an article on World var 
I cryptology that I had never heard of (page 107), on diplomatic 
ciphers (page 132) on the various early cryptographs. There are riches 


here for all. 


Shulman will also accelerate the progress of cryptologic research by 
directing it and by saving students time. E. Phillips Oppenheim, the 
Spy writer, entitled one of his stories "The French Cipher Case." 
Shulman, who went to Washington to find many such works in the Library 
of Congress and then spent hours skimming pages to find the cryptologic 


material, reports: "Fiction with no actual cipher in it." He tells us 


January 1977 42 


that the 1923 article by Fritz Hansen, entitled only "Die Chiffrier- 
maschine," actually discusses the Enigma. Dozens of such cases spangle 
his pages. 


Other early readers have been highly enthusiastic. One said that he 
felt "like a kid in a candy store" when he first got the book, for it 
guided him to many articles in books and periodicals in his library in 
Providence that had material on cryptology that he had not known about. 
"I dove into it," he said. "For me it was great." Another reader told 
him that "Your bibliography is wonderful. I like your comments...Con- 
gratulations on such a marvelous result." He said that "It gives infor- 
mation that the ordinary cipher fan can't get anyplace else," such as 
the location of copies and the scarcity of books. Still, another said 
that "It is a good book because it covers a lot of ground not in 
Galland and there's no thorough bibliography of the subject." A fourth 
wrote, "Truly, the work is a gold mine of information. The errors are 
minimal; mostly minor misprints. I am sure that it will be the land- 
mark of its kind. Some of the entries are 'eye openers.' Really 
tremendous." A fifth said that he loves to browse through it. And a 
sixth foresaw that "It will undoubtedly be the book for collectors, 


librarians, bookdealers, and future bibliographers for years to come." 


That is a prophecy with which I heartily agree. Shulman's biblio- 
graphy establishes itself at once as the standard one in its field. 
So I welcome this work of a man's lifetime, and I recommend it to all 


cryptologists who still seek new worlds to conquer. 


CRYPTOLOGIA 


A REPLY TO KAHN'S REVIEW 


David Shulman 


Maury Maverick, former U.S. Congressman, wrote in his autobiography, 
A Maverick American, New York, Covici, Friede, 1937, under the heading, 
Approximately a Preface, "Because nobody reads a preface, the author 


writes it as chapter l of his book". 


| 
I wish I could have done the same for mine. But, unfortunately, my 


bibliography has no chapters, no stanzas, no acts. Therefore, I had to 
be satisfied with an Introduction. It may perhaps be the most important 
element of my work --t I don't know. But, at least, it states plainly 
what I am doing, my knowledge of my own errors, and my apologies. It 
also lists the acknowledgments of those who helped me, including David 
Kahn. 


Instead, David Kahn wádes directly into the bibliography with an attitude 
of getting his feet wet --- and that he does, that he does, almost drown- 
ing himself in the process, thereby. Like a lifeguard, to continue the 
analogy, I have to hasten to the rescue of my good friend to pull him 
out of the deep water he has gotten into heels over head. 

| 
Take one book, for example, The Luck of the Secret Service, by William 
LeQueux, London, C.A. Pearson, limited, 1921. The Library of Congress 
lists it in its catalague. I wrote and waited three weeks for a report 
on its Interlibrary Ldan System. It finally arrived informing me that 
the book is missing! |Since I found other books by LeQueux mentioning 
ciphers, was I to list| this one in my bibliography or to ignore it 
entirely? It might and might not qualify for entry. There is no way to 
know until I see the book. I am searching for a copy. At one time, I 
placed a want ad in t le book trade magazine, Antiquarian Bookman. I got 
other books by LeQueux, but not that one. 


January 1977 44 


So, I omitted it for the time being from my bibliography. Multiply that 
by a few hundred other unlocated items and I hope Kahn and others carping 
like him will understand the need for toleration, patience, and apology. 
Just because the important book by F.J. Buck is omitted does not mean 
that I am ignorant of it. In fact, I omitted others he does not even 
know about that are even more important (the word important is here debat- 
able). 


If Kahn wants to quote Newton on people employing the labors of their 
predecessors, I can counterquote with Dr. Johnson who was asked by a 
woman admirer why he had wrongiy defined the ward pastern. "Ignorance, 
madam, sheer ignorance", he replied. (Kahn has slightly misquoted Newton. 
The original quotation is from the Latin of Lucan. For the sake of 
accuracy, Newton wrote to Robert Hooke, "If I have seen further (than you 


and Descartes) it is by standing upon the shoulder of Giants). 


It is a Herculean task, and sometimes Sisyphean, for a bibliographer to 
try to be as thorough as outsiders like Kahn would like him to be. He 
has encountered that sort of labor in his monumental work, The Code- 
breakers. I have refrained from mentioning the numerous errors in his 
book in my bibliography; I think it is too good for me to try to mar it 
by faultfinding. 


I wish he had read the Introduction before wading into the bibliography. 
Now, it would seem I must take the time and trouble to answer his spe- 
cific criticisms, refuting some, accepting some. My time as a biblio- 
grapher is too valuable for that end I shall leave it to others, more 
objective or dispassionate to cooly assess and answer the charges, to 


do so in my behalf. 


David Kahn admits that "its good.outweighs its bad", but he also con- 
cludes that it takes longer to explain why something is good (he must 


mean the opposite) than simply to say, "Good show". 


CRYPTOLOGIA 


| 
Why does it take more time? Doesn't it take as much time to at least 
balance the good with the bad and present the good points as a running 
counterpart? When he writes, for example, that I omitted something 
important, why doesn't|he balance with something I have listed just as 
important that he didn!t know about? Much later on, he admits some 


important items he did|not know existed. 


If he gives a certain number of omissions, then he should admit that 
there are just as many jand even more inclusions that are just as impor- 
tant. This vitiates his contention that it takes more space to explain 
the good than the bad.| To the same degree, if not greater, he could 
have had a running balánce on the omissions with just as remarkable 


inclusions. 


It is amusing that he fries to explain the bibliography by going into 
my personality quirks.| Is he a psychological cryptographer? What kind 
of objectivity is that|to give not only a review of my book but of my 


personal life of which|he could hardly be as intimate as myself? 


In the meantime, ! am on the way to a second edition with over 400 
additional entries for a revised work, which is not almost sold out. 
While it sounds rather arrogant, I still dare to say it anyway, "Let 


the chips and critics fall by the wayside". 


Oh, one other point, before I forget it. I liked the second part of 
David Kahn's review better than the first part --- that part where he 
rapturously praises my bibliography. A bit of inconsistency on his 


part, n'est-ce-pas? 


January 1977 46 


UNICITY POINTS IN CRYPTANALYSIS 


C.A. Deavours 


Claude Shannon, the father of information theory, also laid the founda- 
tions of mathematical cryptanalysis in 1945 with his publication "A 
Mathematical Theory of Cryptology" (reprinted later under the less de- 
scriptive title "Communication Theory of Secrecy Systems" [1] ). Shannon 
sets forth in this paper, using characteristically clear and direct prose, 
the essence of cryptography and cryptanalysis. The paper can be read 
with profit by anyone interested in the foundations of the cryptographic 


science and requires a minimal degree of mathematical maturity in most 
parts. 


An interesting section of the paper deals with the concept of unicity 
point. The unicity point of a cipher is the message length beyond which 
decipherment using a known system becomes a unique process. For mes- 
sages shorter than the unicity point distance, plural decipherments are 
the rule and the would-be cryptanalyst has no possible method of select- 
ing the correct decipherment from the many available ones. Thus, even 
assuming the intercepter of the cryptogram to have complete knowledge of 
the system of encipherment used (excluding the particular key), no un- 
ambiguous solution is possible if the amount of text intercepted is less 


than the required amount set by the unicity point. 


For a random cipher, the unicity point can be estimated using the simple 
formula: 


U = H(K)/D. 


H(K) is the logarithm of the number of possible keys in the given system 
and D is the redundancy per letter of the source messages. English has 
a redundancy of about 1.11 digits or 78%. The formula is simple encugh 
but its accuracy rises or falls to the extent that the encipherment 


system is random in Shannon's sense. A complete discussion of just what 


CRYPTOLOGIA 


constitutes a random ciph r would require too much space here. But the 


two most stringent requirements are that each encipherment key be equi- 
probable in use and that decipherment of a message using a randomly 
selected key be equally likely to produce any possible source message. 
(For our purposes, a source message means any arbitrary string of plain- 
text characters, meaningful or not, which has the same length as the 
cryptogram.) A related cipher model is discussed in Appendix A of this 
paper. Monoalphabetic substitution and transpositions are not good 
examples of random ciphers, but even in these cases the unicity point 
formula serves as a lower bound for the actual unicity point [2]. More 
intricate ciphers such as the Playfair, trifid, n-gram substitutions, and 
polyalphabetics of fairly long key usually approximate random ciphers to 
a satisfactory degree. An index of coincidence near the random value of 


.038 is an appropriate statistical test in many cases. 


Shannon's derivation of the unicity point formula is couched in infor- 

mation theoretic terms but a simpler approach is possible [2]. Suppose 
the plaintext message consists of alphabetic characters. There are 26N 
possible source messages of length N. It is usual to write this number 


in exponential form: 26" = 100108 26) N , j91.41N 


Most of the N-character strings will be meaningless jumbles of letters 
but some strings will constitute valid English plaintext segments. For 
fairly long character strings, the number of valid English plaintext seg- 
ments has been found to be approximately 105. By analogy with classi- 
cal statistical mechanics the constant .30 is called the entropy per 
letter of the language. If we randomly pick a cipher key and decipher an 
N-character cryptogram, we may get a recognizable English message or a 
collection of N disconnected letters. Even if the message is valid En- 
glish we can not assume it to be the intended one since we might have 
chosen the wrong key. The chance, i.e., p, the probability of getting a 
meaningful message should be, on the average, the number of meaningful 
messages divided by the total number of possible source messages, so 


, 30N 1901: 41N ka i07 1 HN. 


p= 10 


/ 


January 1977 48 


In general, this last term is written fo where D is termed the redun- 
dancy IN DIGITS of the language in question. A D value of 1.11 for En- 
glish means that English is about 1.11/log 26 = .78 = 78% redundant. 


If there are 10" keys for the cipher and if we try all of them, how many 
meaningful messages should we recover? There will be at least one mean- 
ingful message (the correct one); using the other 10H - 1 keys should 
give about 10H. p more meaningful messages. Thus, the expected number 
of "spurious" decipherments is given by: 


Ex 1071: HN(i9H beoe 1971: 1N ^. 19 1- HN. 


For N even modestly large, the second term on the right is negligible and 
can generally be neglected. E is large if the exponent -1.11N + H >> 0 
and is small if -1.11 + H << 0. The point where -1.1lN + H = 0 or 
N=H/1.11 divides the region of few solutions from the region of many so- 
lutions and is thus appropriately termed the unicity point. Figure 1 
shows the unicity point line log E = -DN + H for a Vigenere cipher of 
period 5 assuming 26? possible keys and differing redundancies for the 
message source. The less redundancy the message source has, the farther 
out the unicity distance ( log E = 0 ). 


In practice, the redundancy of the message source can be lowered by 
coding before applying the cipher. Simple abbreviations can be used for 


this purpose, e.g. REPORT RECEIVED might become RPRT RCVD. 


To illustrate Shannon's result, we shall calculate some sample unicity 
points applied to several classical ciphers assuming English to be the 
language of the message source. For a Vigenere cipher which uses an al- 
phabetic key of length P the key can be chosen 2c? ways. Since the al- 


phabetic sequence is normal, no freedom of choice exists in that direc- 
tion. Thus, 


H(K) = log 26 = P log 26 = 1.41 P 
and so, 


Us 1.41 P/ 1.11 = 1.27 P letters. 


CRYPTOLOGIA 


We interpret this result as follows. Suppose a cryptogram known to be in 
Vigenere is intercepted. A proposed solution is offered which results in 
valid text. If the proposed period is P, then more than 1.27P characters 
present in the original cryptogram indicates that the solution offered is 
probably unique. Less than 1.27P characters present in the cryptogram 
forces us to reject the proposed solution as only one of a set of possi- 


ble ones. 


If we mix the cipher alphabets in the above system, the number of keys 
increases to 261-26” since the alphabet can be disarranged in 26! ways 
(26 possible substitutes for "A", 25 for "B", etc.) and with each of 

these permutations any one of the 26? possible key phrases of length P 


can be used. The unicity point now shifts out to 
U = log (261-26?) = 23.97 + 1.27P letters. 


Note that mixing the alphabetic sequence extends the unicity point by a 
distance which is independent of the key phrase length and contributes 
negligible security to the system for long key phrases or cipher text. 


Some other sample unicity point data is given below. 


TYPE OF CIPHER UNICITY POINT IN NUMBER OF LETTERS 
Vigenere, key of length P 1.27P 
Vigenere, mixed cipher alphabet, key 
length P (Quagmire II) 23.97 + 1.27P 
Vigenere, mixed cipher alphabet and 
mixed plain alphabet. 47.94 + 1.27P 
sequence, key length P (Quagmire IV) 23.97N 


N independently mixed alphabets used 
sucessively 23.97N + 1.27P 


N independently mixed alphabets, key 
of length P, key composed of M 


distinct characters .90 log M + 23.97N 
Random digraphic substitution 1460.61 
Playfair 22.69 


Foursquare (Two mixed alphabets) 45.38 


January 1977 50 


Random N-gram substitution .90 log (26%): 


Homophonic substitution with N 26 
substitutes per letter (1og(26N!/N!* ))/1.11 


The number of keys used in this last result can be found as follows. 
Since there are N substitutes per letter, there are 26N substitutes in 
all. The N substitutes for "A" can be chosen 26N!/N!25N! ways (combina- 
tions of 26N things taken N at a time). The N substitutes for "B" can 
then be chosen 25N!/N!24N! ways, etc. Thus the total number of keying 


choices in deciphering is 


26N! . _25N! Di dada u$ N! = 26N! 
NI25N!  NI24N! NI 0! "TES 


Homophonic substitutions are interesting in that one needs to know not 
only the substitution key but the order of use of the substitutes to en- 
cipher and to produce a unique cryptogram whereas, to decipher, one only 
needs to know the substitution table. The above result is based on the 
assumption that the key is not further restricted such as using the same 
substitute for every letter and producing a monoalphabetic substitution. 
For N large enough that the Stirling factorial approximation may be used, 
the unicity point value is found to be approximately U = 33.14N. In 
effect, this result tells us how to design a homophonic substitution 
cipher whose unicity point is always longer than the message length. For 
example, to encipher a 500 letter message we need U = 33.14N > 500 or 

N » 15 to avoid unique solution. For homophonics using proportional rep- 
resentation of the cipher substitutes, the corresponding calculation of 


the number of keys yields a multinomial coefticient. 


The unicity point for the Playfair cipher seems too short to most people. 
Who can solve a Playfair only 23 letters long? The beginners method of 
solving such ciphers using only digraphic frequency tables without sub- 
sequent buildup of the keysquare is seen to be futile since this method 


would require about 1400 characters which is far longer than the usual 


CRYPTOLOGIA 


message length. 


An interesting example of such a near unicity point solution is to be 
found in the NOV-DEC 1936 edition of the Signal Corps Bulletin. An 
American Army private, A. Monge, solved the following 30 letter challenge 


Playfair cryptogram offered by a British general: 


BUFDA GNPOX IHOQY TKVQM PMBYD AAEQZ. 


The plaintext which Monge obtained makes it clear that he had the in- 
tended message. Although the cryptogram is near the unicity point in 
length, Monge assumed, correctly, that the keysquare was of the keyword 
mixed variety. Restricting oneself to such incomplete mixings of the 
alphabet reduces the unicity point even farther. For instance, if the 
last row of the keysquare can be assumed to be V W X Y Z, the unicity 
point falls to no more than 16.56 letters. Hence, Monge was in better 
shape than might first appear. (There seems to be no record pertaining 


to a transfer of funds upon Monge's solution.) 


As anybody knows, showing that a solution is unique (which is what the 
unicity point does) and actually finding the solution (solving the cryp- 
togram) are two different things. Unicity point studies only indicate 
the amount of similarly keyed text which can fall into enemy hands with- 


out compromising the plaintext. 


As an example, consider the Allied World War II SYKO field cipher de- 
scribed in David Kahn's masterwork The Codebreakers [3]. One version of 
the SYKO system consisted of 32 independently mixed cipher alphabets of 
37 characters each (26 letters, 10 digits, and a "-" for word divisions). 
The alphabets were used in sequence to produce a polyalphabetic cipher 


of period 32. We have, 


5 
U = log (37)13?/1.11 = 1244 characters 


This is about 39 characters per alphabet. Solution of this system based 


January 1977 52 


on a Kerckhoffs superimposition would. require a similar number of 
characters per alphabet. In this case, the unicity point and the actual 


amount of text needed for a working solution are very close. 


` further example of the usefulness of unicity point studies is pro- 
vided in the study of ciphers with compound or Vernam keys. A progres- 
sive key Vigenere cipher is a very simple example of such a system. If 
the primary key has length 7 and the index of progression is 1, then the 
total period is 7 x 26 - 182 characters before keying repetition. The 
unicity point for this cipher is not 1.27P - 1.27(182)- 231.14 characters 
as might be supposed from the foregoing table. Because the key is a 
compound one, the primary key can be chosen 267 ways and the index of 
progression 26 ways (1,2,5,...,26) making a total of 267 -26 possible keys. 
This yields a unicity point of log 267 +26 / 1.11 = 10.20 characters. 

A drastic reduction! 


In general, if a primary key is alphabetic of Pi characters and is fol- 
lowed progressively by a secondary key of P2 alphabetic characters then 
the number of key choices is 26P1.26P2 = 26P1'P2, the unicity point for 


the compound system is then 
U = log 26P1'P2/ 1.11.= 1.27 (p, + p,)- 


This interesting result shows that a compound key of the Vernam type 
increas^s the unicity point by a length which depends on the sum of the 
separate keys although the key length depends on their product. Vernam 
keying is seen to be very inefficient in improving the security of a 
cipher system. Bryant Tuckerman in a computer investigation of Vernam- 
Vigenere ciphers [4] uncovered the same disagreeable property of Vernam 
keying. Shannon's work makes it plain just why Tuckerman got the result 
he did. 


Turning back to our previous formula for E, the expected number of 


spurious decipherments, we can extract some interesting information. 


CRYPTOLOGIA 


Consider a running key Vigenere cipher which uses normal English plain- 
text as a key. Experience has shown that almost all cryptograms using 
this system are solvable provided only that they are long enough. From 
this observation alone, one can estimate the redundancy of English. The 
approximate number of coherent English plaintext strings of length N 
characters is 
10° 
where R is the redundancy of English and N is the number of characters 
present in the string. This formula holds well only if N is in excess of 
15 or so characters. For a running key cipher, the above number is also 
the number of keys of length N. The formula for E becomes, in general, 
TA 107 DN * RN ós 10 DN z 19 6-D+RIN 
If the cipher is uniquely solvable for large enough N then E must approach 
zero as N increases. This can only happen if the exponent -D + R is less 


than zero. Since D = log 26 - R we have 


-D+ R= -D + log 26 - D = -2D + log 26 < 0 
or 


D > log 26/2 = .71. 


A redundancy of .71 is, in percentage terms, about .71/log 26 = 50%. We 
conclude that if the running key cipher of the type described is uniquely 


solvable then the redundancy of English must be at least 50%. 


Returning to our original formula for E and inserting the standard 

values of R = .30 and D = 1.11 we find that E is less than 1 for N greater 
than 1. In other words, the solution to a running key Vigenere is unique 
if even so much as 1 character is received. This result is obviously 
false. The problem lies in the original formula which was calculated 
using the redundancy of English as 1.11. In actuality this value is not 


reached until more than N=20 letter groups are used in the entropy cal- 


January 1977 54 


culation for English. D and R are functions of N. A better procedure 
in the formula for E would be to use values of D and R based on the 
entropy of English calculated for the appropriate value of N. Appendix 
B shows how an approximate formula of this type may be derived. Using 
this approximate formula in the equation for E results in the unicity 
point curve shown in Figure 2. The curve shows the unicity point for a 
running key Vigenere cipher to lie at about 8 characters. This result 


seems to the author in accord with experience. 


Most persons acquainted with unicity point theory feel that its results 
are usually too severe and that, in reality, much more than the minimum 
number of specified characters are needed to affect solution of a given 
cryptogram. This feeling arises, no doubt, from experience gained by 
applying a certain method to cryptanalyze a particular type of cipher. 
Redundancy of the message source which is carried over into the cipher 
text is the basis of most cryptanalytic methods. The less a given method 
makes use of the redundancies present in a cryptogram, the more text will 
be required for a solution. One can define an effective unicity point 


based on these ideas. 


As an illustration, consider monoalphabetic substitution. (Not a good 
example of a random cipher but an easy one with which to demonstrate our 
method.) The unicity point for monoalphabetic substitution is approxi- 
mately 

U = log 26!/ 1.11 = 24 characters 


(This is a remarkably good estimate in view of William F. Friedman's 
corresponding estimate of 25 characters.) If one. attempts to solve a 
monoalphabetically enciphered message using only letter frequencies then 
the effective redundancy which should be used in calculating the unicity 
point is 0.20 digits. This is because the entropy of English calculated 
on the basis of single letter frequencies is about 1.21; hence, the re- 
dundancy is log 26 - 1.21 = .20 (14%). Thus, 


Uff. = log 26! / .20 = 133 characters. 


CRYPTOLOGIA 


Correspondingly, using only digraphic frequency data Voce = 65 char- 


acters; and, with trigraphic data, U. ec. = 55 characters. When we con- 
sider 8-grams about 38 letters are required to effect solution. What 
actually happens in the solution process is that one uses lst order 
entropy knowledge to gain a foothold and then rapidly expands to use of 
higher order relations as entire patches of plaintext are revealed. This 
explains why only 25 letters are needed. It also explains why more than 
the minimum number of characters are usually needed to achieve a solu- 


tion in a reasonable amount of time. 


In general, the effect of encipherment is to spread out, "diffuse," in 
Such a diffusion process forces the would-be penetrator of a message to 
intercept a relatively large amount of encrypted material before he can 
rederive the redundancy present in the source messages. A simple heu- 
ristic argument will demonstrate the point. Consider a Vigenere 
encipherment of the phrase "ofthe" using the key word KING. The entropy 
of English plaintext is defined as 

26" 


R= lim- Z p log p /N 
Neo isl * 


where the » are the probabilities of occurence of English N-grams. In 
the cipher, the phrase "ofthe" may appear as either YNGNO, WSZRM, BLDPR, 
or UPBVK depending on how the phrase straddles the key word KING. These 
four 5-grams will each occur in the cryptograms received with approxi- 
mate probability p/4 if p is the probability with which "ofthe" occurs 
in the plaintext messages. Furthermore, we can assume that the cipher- 
text phrase OFTHE occurs with probability zero and the plaintext phrases 
"yngno", "wszrm", "bldpr'", and "upbvk" occur with probability zero also 


since they are not pieces of coherent English text. 


With a polyalphabetic cipher of period p, a given N-gram which occurs 
with probability p. in plaintext gives rise to p cipher N-grams which 


each occur with probabilities Py / p. The original plaintext N-gram will 


January 1977 


be expected to occur with probability zero in the cipher text if N is 
very large and the cipher N-grams will occur with zero probability in 
plaintext. 


Therefore, if we compute the entropy of the message source, a series term 
of the form 


N N 
- p; log p; / N 


is replaced, if the entropy calculation is done on the ciphertext, by p 


terms of the form 
-(P}/p) log (p/p) /N 


totaling 


-(p\/p) log (P}/p) / N 


The termwise difference between these two values is 
- Py log p / N. 
The total of all such differences is 


(E pj log p) / N= (log p/N) ( pj) = log P/N. 
i i 


This last term can be thought of as an "entropy diffusion factor" for 


polyalphabetic ciphers. Since log p/N + 0 for N + œ and p fixed, 


we see that if enough text is intercepted the entire redundancy calcula- 
tion can be done using cryptograms instead of plaintext. This is impor- 
tant because most statistics used to cryptanalyze messages are based 


ultimately upon redundancy present in the cryptograms. 


Since redundancy in the source messages which is carried over into cryp- 
tograms provides the cryptanalyst with his primary means of attack, then, 
any method of reducing the redundancy present in the source messages will 


ultimately complicate the would-be penetrator's problem. English has an 


CRYPTOLOGIA 


estimated redundancy of 78%; this means that up to 78% of most English 
text could be deleted and that text could be unambiguously reconstructed. 
(Not any 78% can be deleted, of course, some parts of the text carry 

more of the meaning than others.) This process, if fully utilized, would 
reduce the redundancy of English to zero and therefore extend the unicity 
point out to infinity. No message having zero redundancy could, when 
encrypted, ever be uniquely solved, no matter what amount of text is 
intercepted. One can calculate the percentage reduction in redundancy 


which will occur when different percentages of text are deleted. 


Let p represent the fraction of text deleted. The total number of En- 
glish messages which are of length N after the deletion equals the total 
number of messages which were, before deletion, of length N' where N and 
N' are related by the equation N' - pN' = N. Since the original number 
of messages was nu (R = entropy of English = .30), the new number of 
messages of length N is 


jo QV -PN 


The effective entropy after deletion is changed from R to R/(l-p). The 


new percentage of redundancy can be found from computing 
(1og 26 - (R/(1-p))/1og 26. 


Figure 3 shows a plot of percentage deletion versus remaining percent 


redundancy. 


As an example, all vowels A,E,I,0,U and Y (when occuring as a vowel) can 
usually be deleted from English without risking loss of meaning; this 
deletion shortens the average text by about 40%. The effective entropy 
after deletion is therefore .30/.6 = .5 or about 65% in terms of redun- 


dancy. 


An interesting question which Figure 3 answers is the following. How 
much text must be deleted from the key and plaintext of a running key 


Vigenere cipher in order to render unique solution impossible? Deletion 


January 1977 58 


of vowels is not enough since our previous results have indicated that a 
redundancy of less than 50% is necessary. Referring to the figure, we 
see that to lower the percentage redundancy to 50$ or less we must delete 
about 58% of both key and plaintext. 


If the reader desires to test his skill on a redundancy reduced cipher, 
below is given a running key Vigenere cryptogram in which all vowels have 
been deleted from key and plaintext. Persons shown the deleted key and 


plaintext were able in a matter of minutes to reconstruct both. 


AAETU GPDLZ MOEEK KOKAA PXFIE PZFP 


The remaining topic to be considered is application of our methods to the 
study of ciphers with purely random keys. Such keying sequences cannot 
be generated by mathematical formulas but can be constructed by using 
physically random phenomena such as radioactive decay to activate re- 
cording devices. Suppose each character of plaintext is encrypted using 
one character, either numeric or alphabetic, chosen randomly from a set 
of L possible ones. To encrypt a string of N characters the number of, 
random keys possible is E Our previous expression for the number of 


spurious decipherments becomes 


-1.11N +N log L -1.11N 


E= 10 - 10 


since H(K) = LN = 19" 1o8 L, 


Unique decipherability implies 
-1.11N + N log L< 0 
or, 


Pees cae E 


If fewer than 13 choices are available at each encryption step the crypto- 
gram is uniquely solvable given enough text EVEN IF THE KEYING SEQUENCE 


CRYPTOLOGIA 


IS COMPLETELY RANDOM. To illustrate, suppose we are given a one time pad 
composed of the random digits 0,1,...,9 and we use the pad as a random 
key for a Vigenere cipher. This amounts to using 10 of the 26 possible 
Vigenere alphabets randomly. The number of possible keying sequences 
which can be used to encipher N letters is 107° so L = 10 and the cipher 


is solvable uniquely by writing down all possible decipherments and 


picking out the (unique) one which is coherent English. As one can see, 
the result is theoretical and not particularly practical in most cases. 


To an extent, the result shown above is obvious. If all 26 Vigenere 
alphabets were used in the preceeding example [5] randomly then L=26 

and no unique solution can be found. This is because any letter is 
equilikely to replace any other letter in the encipherment making all 
texts equilikely. If, on the other hand, only two or so cipher alphabets 
were used, a unique reconstruction of the text is usually possible. The 
reader can verify this by solving the message below which is Vigenere 
enciphered using a randomly chosen key consisting of B's and C's. In 
this case, one can go through the cipher writing down the two substitutes 
for each letter. By choosing the more probable of the two based on En- 
glish letter frequencies enough plaintext will emerge to complete the 


solution. The random use of the key does not prevent decipherment. 


TPOGD JRJFS UBSFC SQLGP COFUQ NFDSF CLVIF TONWG T 


A favorite "spy" cipher of the fifties and sixties was a straddling check- 
erboard encipherment followed by addition modulo 10 of a series of random 
numbers to the enciphered text. For example, if the checkerboard is 


taken to be 


0123456789 
ETNRIOAS 
8 BCDFGHJKLM 
9 PQUVWXYZ 


and we have a random one time pad which begins 


03948 23348 78539 55683 ........ 


January 1977 60 


We encipher as follows: 


PLAINTEXT: & E Sabi SX COR LA RR A RSE LS 
NUMERIC ENCIPHERMENT: 6 3 7 07 181 088 6 3 06 3 1 089 
RANDOM NUMBER STREAM: 0 3 9 4 8 233 487 8 5 3 9 5 5 683 
FINAL CRYPTOGRAM: 6 6 6 45 314 465 4 8 3 5 8 6 6 62 
TRANSMITTED CRYPTOGRAM: 66645 31446 54835 86662 


The security of the above system is thought to reside in the random key; 
the straddling feature of the preliminary numeric encipherment is primar- 
ily to shorten the message length. We have placed the higher frequency 
portion of the English letters in the first row of the checkerboard in 
order to achieve maximum message compression. In our checkerboard, the 


first row includes about 66% total frequency letters. 


The straddling device is a weakness of this cipher since it reduces the 
random key consumption per letter. Approximately 66% of an average En- 
glish text will be represented by one digit with the above checkerboard 
and will, hence, require 1 random digit for encipherment. About 34% of 
the average text will require two random digits for encipherment. This 
makes the average key consumption about .66(8) + .34(20) = 12.08 digits 
per letter. We base this on the fact that, if letter divisions were 
maintained in the final cryptogram, then each one digit cipher digit is 
uncertain by 8 equilikely digits 0,1,2,...,7 and each two digit cipher 
character is uncertain by 20 equilikely digits. (The first digit must be 
an 8 or 9, the second 0,1,...,9.) This value is lower than the magic 
number of L=13 derived previously and so the cipher is solvable uniquely! 
The first row of the checkerboard could contain letters totaling as low 
as 58% in frequency for the key consumption to be below 13, All of the 
above postulates that the checkerboard is known (a reasonable assumption) 


and that the letter divisions are maintained (an unreasonable assumption). 


As we have shown, the security of a cipher system like the one just dis- 


cussed resides in great part on the fact that letter divisions are de- 


CRYPTOLOGIA 


stroyed when the final cryptogram is transmitted. We pose the question 
to the reader: Is this destruction of the letter divisions enough to 
convey inpenetrability in the theoretical sense? Obviously, ciphers 
based on one time pads are not uncrackable in the absolute. More needs 


to be said. 


REFERENCES 


l.Shannon, C.E., "Communication Theory of Secrecy Systems", Bell System 
Technical Journal, 28, October 1949, pp. 656-715. 


2.Hellman, M., "The Shannon Theory Approach to Cryptography", Submitted 
to Transactions on Information Theory, Oct., 1975. The author has 
followed Hellman's approach throughout this paper. 


3.Kahn, David, The Codebreakers, Macmillian, New York, 1967, pgs. 462-64. 


4.Tucherman, Bryant, "A Study of Vigenere-Vernam Single and Multiple 
Loop Enciphering Systems", RC 2879, IBM, October 1975. 


5.Copland, Miles, Beyond Cloak and Cipher, Pennacle Books, New York, 
1975, pp. 364-66. Vigenere with Random One Time Pad. Accompanying 
text should be ignored. 


January 1977 62 


Figure I, Unicity point line Figure II. Unicity point curve for 
log E = -D:N + H for Vigenere with English running key Vigenere. 
period 5 and varying source message Horizontal axis: number of letters 
redundancies. Horizontal axis: intercepted. Vertical axis: 

log E. Vertical axis: N, number number of spurious decipherments. 


of letters intercepted. 


29 
20 
wp 
[24 
af 
rd: 
o D à i 
^ 
^ 
oor 
50 
i 
i 
i 
E A — i ^ 
o 50 100 us 
Figure III. Redundancy reduction Figure IV. Typical entropy calcu- 
curve for English. Horizontal axis: lation curve. Horizontal axis: 
percent of plaintext deleted. log N, where entropy is calculated 
Vertical axis: percentage redun- on basis of N-grams. Vertical 


dancy remaining in text. axis: entropy. 


CRYPTOLOGIA 


APPENDIX A 


A simple mathematical model of a cipher system can be constructed as 
follows. Suppose we have M messages Mi M, s». My which we might 
desire to encrypt. To encipher these messages we assume that K keys 


Kk; K3, TTS Ky; all of which may be used to encrypt each message, are 
available. If we encipher all M messages each with all K possible keys 
we will obtain C cryptograms, SU D gs Co. Clearly, 

C « MK. 


The encipherment process can be visualised as shown below: 


k 


I.ENCIPHERMENT M, 


Me 


—_>__ Ce 
In attempting to break a given cryptogram a penetrator could, we assume, 


try all possible keys for each possible cryptogram and make a list of 
cryptograms and corresponding messages. Generally, when all of the keys 
are tried on a given cryptogram a number of meaningless decipherments will 
be produced as well as a number of "spurious" decipherments which are 
valid messages but correspond to the use of the wrong key. The decipher- 


ment process can be visualised as follows: 


January 1977 64 


II.DECIPHERMENT 


MEANINGFUL ^ 
MESSAGES M2 


Mn 


Mone 


MEANINGLESS ' 
MESSAGES 


My "Ce 
We let My be the total number of messages, meaningful and meaningless, 


which are obtained by trying all possible keys on all possible cryptograms. 


If we assume that all messages and keys are equiprobable in I, then the 
probability of receiving the ith cryptogram, €i» is directly proportional 


to the number of lines ending on Ci in I, thus, 


prea 
where 
Pi = probability of receiving cryptogram ci 
a = proportionality constant 
Ni - number of lines ending on Ci in I. 


CRYPTOLOGIA 


The proportionality constant can be found. Since 


(0 c 
Zp, = 1=a-2N. = a*MK, 
Pig ; 

i=l i= 


then, we have 


1/MK 


w 
" 


and 


"d 
" 


N; /MK 


The number of "spurious" decipherments for Ci is the number of lines end- 
ing on Ci in I minus 1 (the correct decipherment) if we specify that 
decipherment using the wrong key does not lead to the correct message. 
The average number of "spurious" decipherments is therefore: 


Pi P; MK - 1). 
1 


It is of particular interest to find out what type of cipher systems are 
most insecure in the sense that N is a minimum. Mathematically, we seek 


an extremum of N subject to the constraint 


[^ 
Lp, € 1 
isl * 
Introducing the Lagrange multiplier A , we define 
[^ Cc 
$ = IDOM + AL (p, - D. 
i-i i=l 


A necessary condition for an extremum of 4$ is that 


8$/3p, = 2p,MK - 1+ A= 0 161,2,.4556 


January 1977 66 


Thus, 
P. (1-A)/2MK = constant. 
Solving for p,» we find 
P. 1/C. 
This extremum is readily seen to be a minimum and so we can conclude that, 
from this viewpoint, the most insecure cipher systems are those in which 
all possible cryptograms are equilikely to be received. Note that this 


result applies to the entire spectrum of cryptograms possible and not to 


individual cases. 


For any cipher with equiprobable messages and keys we must have: 


(1/C) (MK/C -1) -MK/C - 1. 


The unicity point, for this cipher model, may be defined as 


N= MK/C-1 =0. 


COMMENTS 
l.It is usual to assume that C = Mr- The above formula then becomes 
Ñ > (MMK - 1. 


One can see clearly from this last formula how the unicity point concept 
arises. If we think of M,C, and Mr as increasing functions of the number 
of characters intercepted, then the ratio of meaningful messages of a 
certain length to total messages of the same length would be expected to 
rapidly approach zero as more characters are intercepted. Thus, the num- 
ber of spurious decipherments falls rapidly if the number of keys remain 


fixed. When Ñ = 0 then only the correct decipherment of the cryptogram 


CRYPTOLOGIA 


remains and this solution is uniquely determined. Two approaches that 
might prevent N from approaching zero immediately suggest themselves. We 
may attempt to increase the number of keys as the number of characters 
intercepted increases (e.g. running key ciphers); or, we may adjust the 
cipher generated so that the ratio M/M,, does not tend to zero with the 
number of intercepted characters. When implemented successfully, either 
procedure yields a cipher system with unicity point never approaching 
zero and, hence, gives ciphers which are not uniquely solvable no matter 


how much text is intercepted. 


2.In Shannoa's theory, one can receive "dummy" cryptograms, i.e. Ni = 0. 
In this case, Ni is taken to be a binomially distributed random variable 
during decipherment using a random key. The binomial p value is taken 
to be M/M,. Since there are K-1 trials in deciphering, the average of 
this distribution is 


Ñ = (M/M,) (K-1). 


The difference between this value and our previous minimum value is 


s 


N-N. = M/M; - 1 


indicating that both theories are in good accord. 


APPENDIX B 


As mentioned in the text, the entropy of a language is calculated from 
the definition: N 


where the » are the probabilities of occurrence of the N-grams of the 
language. Individual letter frequencies can be used to find the first 
approximation R,, digraphic frequencies to find the second approximation, 
R, etc. In practice the curve found by this process has the shape shown 


in Figure 4. For the first few values of N, the entropy values found 


January 1977 68 


decrease in an approximately linear manner as a function of log N. This 
decrease continues until some value N of N is reached at is greater 

than 20 in English) at which time the entropy values obtained level out. 
In actuality other methods besides attempting to construct N-gram tables 


for large N are used to estimate the final limiting value obtained. 


In the curve shown in Figure 2, the initial decreasing segment of the 


* 
curve for N less than N was approximated by a line of the form 


R = R(N) = A log(N) + B. 


The constants A and B were found using the known values for entropy when 
N = 1 (R=1.24) and N = 8 (R=.71). No precise curve fitting was attempted 
since the known values themselves are not fully agreed upon and because 
relatively wide variations of these values yield virtually the same 
curve as shown in Figure 2. 


CRYPTOLOGIA 


CIPHER EQUIPMENT 
Louis Kruh 


This column will feature a different cipher device or machine in each 
issue. Assuming that most people rarely see cipher equipment the column's 
emphasis will be on photographs with text limited mainly to historical 
information. For readers interested in technical data references will 


be provided where appropriate. 


To inaugurate the column, the United States Army's version of one of the 
most widely used cipher devices has been selected, the Signal Corps 
Cipher Disk (Figures 1 and 2). 


Figure 2 


Figure 1 Back of Signal Corps Cipher Disk 


Front of Signal Corps Cipher Disk 


Signel Corps, U. S. Army 


ARMY CODE CARD.—The International Morse 
Code for U. S. Army and U. S. Navy signaling. 
n, 


NUMERALS 


is unknown, signal -— at intervals followed by the 
call or signal of the calling station until acknow- 
ledged. 

Make a slight pause a 
"front." If the sende, 
an error, he should mak 
he begins the word in which the error occurred. 


January. 1977 70 


This disk was the official U. S. Army field cipher between 1910 and 1920, 
about 450 years after its invention by Leo Battista Alberti ca. 1460 
(Figure 3). 


Figure 3 
Alberti Disk 


The disk was usually made of celluloid, cardboard or leather and con- 
sisted of a reversed cipher alphabet revolving inside a standard plain 
text alphabet. This produced a series of twenty-six reciprocal alphabets. 
The Army used it with a running or repeating key word which resulted in 


a straight periodic Beaufort cipher. 


During the first World War the cipher disk was the only device which was 
known to the American Expeditionary Force. The security of the disk was 
questioned before World War I but records show that this system was 
studied and taught at the Army Signal School in France. However, the 
American Expeditionary Force discontinued its use in December 1917 and 
there is no evidence that they actually employed the cipher disk for the 


exchange of official messages 


CRYPTOLOGIA 


On January 18, 1918, William F. Friedman completed Riverbank Publication 
No. 16, Methods for The Solution of Running-Key Ciphers, in which he 
stated that even a single short message enciphered by the U. S. Army 
disk is "easily and quickly deciphered [solved] " 


Using a disk with two standard or direct alphabets produces a Vigenére 
cipher. During the Civil War the Confederates made extensive use of the 
Vigenère, sometimes with the help of a cipher disk. 


The Union's Chief Signal Officer, Major Albert J. Myer, developed a 
cipher disk with the alphabet on the inner disk and combinations of num- 
bers on the outer disk for use in flag signaling. After its adoption in 
1863 the Confederates were unable to solve Union messages. A patent was 
issued to Myer for a Disk of this type on November 14, 1865 (Figure 4). 


il [v ju 


Figure 4 
Disk patented by Myer 


At least two other patents have been issued for disks similar to the 
United States Army Signal Corps Cipher Disk. One of them was granted to 
Frank S. Baldwin, St. Louis, Missouri, on November 20, 1877. In addition 
to the standard and reversed alphabets the device included a third fixed 
or stationery inner disk with a pivoting index or pointer and numbers 


from 0 to 25 juxtaposed with the reversed alphabet on the revolving sec- 


January 1977 


tion (Figure 5). The main purpose of the numbers was to provide another 
set of characters for use in a key word or phrase. 


The other patent was obtained by Spencer H. Huntington, Kerrville, Texas, 
on July 1, 1924. This device was identical to the Signal Corps Cipher 
Disk except for a blank space between the first and last letters of each 
alphabet (Figure 6). According to the inventor, "The blank space makes 
it possible to indicate the spaces between words by their equivalent 

code letter making the letter grouping entirely different in original 

and cipher." Like most inventors of cryptographic devices Mr. Huntington 
claimed it was impossible to solve messages enciphered with his device. 


The cipher disk is probably the world's best known cryptograph and it has 
been the basis for most cipher "inventions" by cryptographers or would-be 
cryptographers during the more than 500 years since it was first de- 
scribed by Alberti. 


During the mid-1930s and 1940s several companies offered decoders (which 
actually were cipher disks) as premiums to youngsters and radio programs 
they sponsored included secret messages to be deciphered with them. 


Disk patented by Huntington 


Disk patented by Baldwin 


73 CRYPTOLOGIA 


Occasionally, a few firms still offer this kind of premium and some 
decoders or disks used by children are more sophisticated than the Signal 
Corps Cipher Disk that was available to United States Army cryptographers 
in World War I (Figure 7). Today the memory of this classic cipher 
device is perpetuated as the symbol of the National Security Agency 
(Figure 8). 


Despite the extensive source material on the Signal Corps Cipher Disk 
some key historical facts could not be located. This includes the exact 
date this disk was officially adopted by the United States Army, where 
it was manufactured, how many were produced, the date it was withdrawn 
from use and the name of the person responsible for the choice of stan- 
dard and reversed alphabets and his reasoning in making that decision. 


Readers who can fill in any of the gaps are encouraged to write. All 
correspondence should be addressed to Louis Kruh, 17 Alfred Road West, 
Merrick, N. Y. 11566. Letters are also invited from readers who own 
cipher equipment and from individuals who wish to suggest specific 


devices or machines to feature in future colums. 


Figure 7 
Signal Corps Cipher Disk Figure 8 
surrounded by disks (decoders) Symbol of NSA 


used as premiums. 


January 1977 74 


Bibliography 


Friedman, William F. American Army Field Codes in the American Expedi- 


tionary Forces During the First World War. Washington: Government 
Printing Office, 1942. 


Methods for The Solution of Running-Key Ciphers. Publication 
No. 16. Geneva, Ill.: Riverbank Laboratories, 1918. 


"Edgar Allan Poe Cryptographer, Addendum," The Signal Corps 
Bulletin. October-December, 1937.* 


Kahn, David. The Codebreakers. New York: The Macmillan Co., 1967. 


Lesser, Robert. A Celebration of Comic Art and Memorabilia. New York: 
Hawthorn Books, Inc., 1975. 


Marshall, Lt. Col. Max L. (ed.). The Story of the U. S. Army Signal 
Corps. New York: Franklin Watts, Inc., 1965. 


Myer, Brig. Gen'l. Albert J. A Manual of Signals. New York: D. Van 
Nostrand, 1868. 


U. S. Army. Eastern Signal Corps Schools. Pamphlet No. 32. Historical 
Sketch of the Signal Corps (1860-1941). Fort Monmouth: Eastern 
Signal Corps Schools, 1942. 


U. S. Army Security Agency. Historical Background of the Signal Security 
Agency, Volume One. Codes and Ciphers Prior to World War I. 
n. p.: n. n., 1946. 


U. S. National Security Agency. Careers in Engineering and Mathematics. 
Washington: Government Printing Office, 1968. 


Letters to the writer. April 23, 1971. August 16, 1976. 


U. S. Patent Office. Patent No. 50, 946. Improvement In Signals. 
Issued to A. J. Myer. November 14, 1865. 


. Patent No. 197, 199. Cryptographic Device. Issued to 
F. S. Baldwin. November 20, 1877. 


ae . Patent No. 1, 500, 077. Coding Device. Issued to 
S. H. Huntington. July 1, 1924. 


CRYPTOLOGIA 


U. S. War Department. Office of the Chief Signal Officer. Document 


No. 500. Signal Book United States Army. Washington: Government 
Printing Office, 1916. 


« . Manual No. 6. Visual Signaling. Washington: 
Government Printing Office, 1910. 


*Ed. Note: This work and others are now available in Cryptography and 
Cryptanalyses, Vol. I & II, Aegean Park Press, Laguna Hills, CA, 1976. 


January 1977 76 


SOME CRYPTOGRAPHIC APPLICATIONS OF PERMUTATION POLYNOMIALS 


Jack Levine and J. V. Brawley* 


1. Introduction. The purpose of this paper is to indicate how permuta- 
tion polynomials defined over a Galois field GF(q), q=p" (p a prime) can 
be used to construct cryptographic systems of a general mathematical na- 
ture. That such polynomials can be so used should not be surprising 
since they determine permutations of the field elements which are the es- 
sential basis of a cipher alphabet. Our only interest here is to de- 
scribe various methods of encipherment and to give some examples to il- 
lustrate the procedures. No attempt will be made here to evaluate their 
effectiveness or to consider possible cryptanalytic procedures. Such 


considerations are reserved for a future paper. 


Since constant use will be made of Galois fields a brief summary of 
their properties of immediate interest is given in the next section. For 
more detailed treatments [1], [2], [3], [4], [9], [10], [13], [17], [18], 
[19], [20] may be consulted. 


2. Galois fields. Denote the Galois field GF(q) by F. The elements 
x of F may be represented by the set of q polynomials 
1 n-2 


n- 
(2.1)  xeegt + ct fest eot * e 0 se SP - D 


where t is a primitive element of F i.e., every x (#0) can be expressed 
in the power form x - e for som k, 1 « k <q- 1. In addition wl 21 
where q - 1 is the least positive integer with this property. Hence we 
may write F = (0, t, t^,..., tUl 


The primitive element t satisfies an irreducible equation of the form 


PET n-1 è k z 
(2:2) "fü 8$ 9 kt test kK t+ ka = 0 (0 sk <p-)), 


(and satisfies no equation of -lower degree with coefficients in GF(p)). 
The polynomial f(t) is called a primitive polynomial over F, and (2.2) 
can be used to convert any power form x = AS to the polynomial form (2.1) 
by expressing t" as 


*Research supported in part by ONR Contract N00014-76-C-0130. 


CRYPTOLOGIA 


oe n n-1 


(2.3) t = -kt Tk k 


n-1* "me. 
and using (2.3) to express higher powers e eu. as polynomials in 


t of degree <n - 1. 


The coefficients zi of x in (2.1) give the component form 


(Cg, €1,.. 5€, 4) of x. 


Finally, the field-value of element x is defined by 


a n-1 n-2 
(2.4) f= Cop + cp teest Ca opt Cas 


sod<f<q-l. 


If elements x = CE 17508» y= (d, dys+-+sd 1) then 


x+ys (eo * do: cy 4+ da» (addition taken mod p). If 
k 


alsox=t,ye= t", then xy = m where exponent k * m is taken mod | 
(q - 1). 


* dee 


In summary, an element x of GF(q), (q = p»), may be represented by its 
component form (Cys €, ye++,C, ,) obtained from (2.1). bv its field-value 
f given by (2.4), and (if x # 0) by its power form x = e (where k will 


depend on the particular primitive polynomial (2.2) being used). 


To illustrate the above remarks consider the GF (35) and an associated 
primitive polynomial t + 2t + 1. Then elements 0 = (0, 0, 0); 

t = (0, 1, 0); t? = (1, 0, 0); t5.12p9 pol. $9 X denm 1572)5 

t'- t ¥ 2t = (0, 2, 0); t= € Vor t (P3: 2y 9 oe 200. 390237 
etc. Also ds =1= (0, 0, 1). A convenient way to disploy the various 
representations of the field elements is by means of Figure 1 (+ = word 


space). 


Explanation: The columns marked (a) will be used later in the explana- 
tion of an enciphering method. Columns (b) give the field-values of the 
27 field elements. Columns (c) give the component forms of these ele- 

ments, and Columns (d) give the exponents of the power forms (except for 


January 1977 78 


the 0-element marked *). The left half of Figure l is arranged in order 
of the field-values 0, 1, 2,...,26, while the right half is in order of 


the exponents. The component form (eo; ei co) is written c for 


C, C. 
0172 
convenience. Figure 1 shows, for example, that element x - 212 has field- 


value 23 and x = ee Also, element e = 221 = 2 * 2t * 1 with field- 


value 25. To multiply (212)(221) = t^-t74 = 179 = «5 = (012). To divide 


(212)/ (221). «7174 » «719... 47 2: (22). 


3. Permutation polynomials. A polynomial 


© q-1 q-2 
(3.1) P(x) = ax + ax +...+ 4.2% + 4-1 


with coefficients ai belonging to a GF(q) is called a permutation poly- 
nomial if as x assumes the q elements of the field Xi» Xy 
corresponding P(x), P5). PG) is a permutation of the x,'s. For 


kee the 


an extended treatment of permutation polynomials [5], [6], [7], [8], [9], 
[11], [12], [13], [14], [15], [16], [21], [22] may be consulted. A sim- 
ple example is given by P(x) = 2x + 3, q = p= 7. Corresponding to the 
elements x = 0,1,2,3,4,5,6, P(x) gives respectively 3,5,0,2,4,6,1. Thus, 
if we consider the seven field elements as corresponding by a bijection 
to the letters of a 7-letter alphabet, then an encipherment process is 
given by the scheme L + x + P(x) + L', where L is an alphabet letter and 
x its associated field element. Letter L' is the cipher substitute for 
L. 


CRYPTOLOGIA 


GF(3°), primitive polynomial to + te 


(a) (b) (c) (d) (a) (b) (c) (d) (a) (d) (c) (b) (a) (d) (c) (b) 
A 0 000 0* O 14 112 11 A 0*0000 G 14 020 6 


B 1 00126 P 15 120. 4 D 1 010 S 15 200 18 
C 2 00213 Q-16 12? 18 J 2 100 H 16 021 7 
D 3 010 1 R12 122 7 Fe $ 12 5 V 17 21021 
E 4 01 9 S 18 200 15 P 4 12015 Q 18 121 16 
F- S5 012 3 T 19 201 25 X S 212,23 + 19 222 26 
G 6 020 14 U 20 202 8 N 6 111 13 W 20 211 22 
Bins 7,4021.16 V 21, 210, 17 E T 3222-17 K 21 101 10 
I 8 022 22 W, 22. 211. 20 U 8 202 20 I 22 022 8 
J, 9.:100,.,2 X.:25, 212. .5 B, 49. 011.4 Y 23 220 24 
K 10 10121 Y 24 220 23 M. 10 Por Z 24 221 25 
L 11 102 12 Z 25. 22), 24 O 11 112 14 T .25. 201 19 
M 12 110 10 + 26 222 19 L 12 102 11 B 26 001 1 
N 13 111 6 C 13 002 2 
FIGURE 1 
In the general case of an N-letter alphabet A where N = p =q, an 


encipherment procedure can be obtained as follows. 
(1) Establish a correspondence (bijection) between the N letters of A 
and the N field elements of a GF(q), (based on some primitive polynomial). 


(2) If a plain-text be indicated by L convert these letters to 


ibis 
ies 
(3) By means of some permutation polynomial P(x) associated with the 


1%2%3 to P(x, )P (x3)P (x3) . 


their respective field elements, say x 


field convert the sequence x 


(4) Convert these P(x;) to letters of A by means of the correspondence 
of (1). 


It will be recognized that the above procedure produces a fixed (simple) 
substitution encipherment. In order to gain some complexity it is suf- 


ficient to use a permutation polynomial containing one or more (essen- 


January 1977 80 


tially) arbitrary parameters, for example, P(x) = ax + b, where 

a,b e GF(q), and are arbitrary (except a # 0). Now if a and b are varied 
in some prearranged manner as we proceed in the encipherment a variable 
substitution will result (the a and b may be considered as determining 
the "key letters" of the encipherment). 


In general, if the permutation polynomial be represented by 
y = P(x; 818, (a; € GF(q)), where the parameters a 
s 0, & 


phe may be 


restricted, e.g., by ay #0, aja not a square, etc., then 


3 ~ *4*s 6 
corresponding to Xi the field element in position i of step (2) above we 
would use a set of parameter values a 


NC ED this choice being 


li a 
determined by some rule so chosen as to satisfy all parameter restric- 
tions (examples are given in the sections to follow). To obtain the 
decipherment it is necessary to know the inverse permutation polynomial, 


i.e., x = Q(y; Ajs+++ 58). 


" P iei n 
In the examples to follow it is shown how to remove the condition N = p 
(mentioned above). 


4. Example 1. This example is based on the GF(3°) table given in section 
3, (Figure 1). Here N = 27 with + = word space representing the twenty- 
seventh letter. Column (a) of the table shows the alphabet letters, and 


(a) and (c) give the correspondence of step (1) given in section 3, so 
A= (0, 0, 0), H = (0, 2, 1), etc. We use the permutation polynomial 
y = ax + b, (a # 0), where a,b are determined by 

b 


31,2 ^ 8,18,» Pisz = biu * bi (121,2, 3,...), with initial values 
a, = (0, 2, 1) = t6, à, = (1, 1, 1) = t9, b, = (0, 0, 2), b, = (1, 1, 0). 


CRYPTOLOGIA 


The encipherment of the word FIELDS may be exhibited in the form 


(a) F I E L D s 
(b) (0,1,2) (0,2,2) (0,1,1) (1,0,2)  (0,1,0) (2,0,0) 
(c) 3 22 9 12 1 15 
(d 16 6 22 2 24 1 


(e) (22,2) ,0,0) (2,1,2) (0,2,0) "(2;0:1) "(022,1) 
(£) (0,02) (13150) (45152) (2,22) - (02011) ' (21220 
() G,2,D (QG,1,0 (10,2,)) (21,2) 1^(25,0:2)' "(2315 D) 
(h) Z v H X U W 


Explanation: (a) = plain-text letters; (b) = component form by Figure 1; 
(c) = exponents of power form (F = (0,1,2) = t’); (d) = exponents of 


bona Chime yine 19); (e) = component form 
94h16 119 : 

of products iX. (a,x, -tt =t = (2,2,2)); (f) = component forms of 
bi, b> bie (g) = component form of Yi = &X, + bi from (e) * (£); 
(h) = cipher-text conversion of (g). 


power forms of ap ays a 


To decipher, the inverse polynomial x = a`! (y-b) is used. 


5. Permutation functions with N = p° + 1. Carmichael [9, Chap. IX] de- 
scribes a method of adjoining a symbol œ to a GF (p^) giving p° + 1 ele- 
ments which can be associated with (rational) permutation functions, and 
which can thus be used with alphabets of N = p * l letters. We illus- 
trate this with the permutation function 

y = (ax + b)/(ex + d) = R(x), A = ad - be # 0; a,b,c,d € GF(p"). The 
symbol æ is to represent any expression of the form x/0 (x # 0), where 
x e GF(p"). Thus R(-d/c) = e, (c # 0), R(*) = a/c, (c # 0), R(s) = œ 
if c = 0. Consider the GF (52) with primitive polynomial t + 4t +2, and 


choose A = normal alphabet, N = 26 = s? + 1, with the correspondence: 


& B. 56 1D. B. PGi hs, Wed Kibo No SPs Bek 43 D Edd WX 
(a)00 01 02 03 04 10 11 12 13 14 20 21 22 23 24 30 31 32 33 34 40 41 42 43 


(B)0* 24. 6.18 12 1.22 15 .2 17 .7,.8,.4, 22,22 ol :0.11436,20. 13.5.34. -$ 


January 1977 82 


Y 
(a)44 œ 
(b)10 - 


Row (a) consists of the 5? component forms of the field elements plus 
symbol œ. Row (b) consists of the exponents of the corresponding power 


form (excluding 0). 


To obtain sets of parameters (ai; bi 


^ = ajdi - bici # 0, select 2x2 matrices LUE M, such that LA # 0, 


» C., d,) such that 
Hai 


|M,| # 0, and define M,,, = M, M., where M, = 
2 i+ i 


2 i41 For example, 


12 01 23 33 

if M, = » M= å 
; 34 00 5 17 10 
41 23 14 20 


then 


= 
u 

z 
" 


21 322 22 34 


To encipher SEEM: 


plein: S. B B M 
X 33 04 04 22 

E 34 20 02 œ 
cipher: Te Lh 202 


y; 


i (aix, * bi)/Ceix, * di). To calculate y, we have 


få [(14) (22) + (20)]/[(22) (22) + (34)] = (24 + 20)/(21 + 34) =44/00===2. 


The inverse transformation will, of course, be x = (-dy + b)/(cy - a). 


6. Polygraphic encipherment using several fields and permutation func- 


tions. 


We give a brief description of the stated type of encipherment which will 
be seen to be equivalent to the independent and simultaneous encipherment 


of several messages, each such encipherment being similar to a type de- 


CRYPTOLOGIA 


scribed in the previous sections. 


Consider then an L-letter alphabet P with letters denoted by 
^ > Ay nm 
(polygraphs) which may be constructed from the L letters of P, a 


AL (called the basic alphabet). There are N = p n-graphs 


typical one being denoted by A = Lib, yes La uU e P ). Consider these 
N n-graphs as the "letters" of an alphabet A. To encipher a plain-text 
composed of letters from alphabet P divide this text into a sequence 

of n-graphs. These n-graphs are then enciphered by means of one or more 


fields and associated permutation functions in the following manner. 


m. 
Assume N can be expressed as N = Ny + Ny t... Nye where Ni z By or 
m 


Ni = P; + 1 (p; = prime). The N = L" letters (n-sravhs) of alphabet A 
are partitioned among k sub-alphabets of A = Ay u A, i, A. (as de- 


scribed below), where Ai is to contain Ni letters (n-graphs), 


(i21,2,...;k). To each of the Ai is assigned a field GF (p; D z Fi 
and a permutation polynomial P; (x) if Ni - P. 1 or a rational permutation 
function R; (x), (see 85), if N 2 Py + l. The manner in which the N 
n-graphs are to be partitioned into the ^i alphabets is as follows: 

(1) Assign to each of the L letters of alphabet P a numerical value 
from the sequence 0, 1, 2,...,L - 1, say, ^ = a), A, = Gy sree Ay si, 


where a a, is a permutation of 012 ...(L - 1). 


192 ses 
(2) Convert any n-graph à 
grap 


" 


L,L, ... L. to a numerical form 
12 n 


A= (viva Ane v,) where Vi numerical value of Li by (1). 


(3) Define a number c by 


ozv L + VoL test V. tV 


aat n 

Then o is called the numerical value assigned to the n-graph A, 
(<0 «1^. 4); 

(4) Put all those n-graphs in ^ for which 0 « c £N - 1; put all 


those n-graphs in A for which N, « c ER *N,- l,...; put all those 


2 1 


n-graphs in A. for which Ny Pait NC] 


(5) Suppose an n-graph à has been assigned to sub-alphabet A. The 


2 
<o<N-1l. 


January 1977 84 


numerical vaiue c of A, (see (3)), satisfies 


Ny ict Ney so <N +... N,-l. Now define p by 


o - Qu Pecot Nip» (0 «o <N -1). 


p 


(6) An element in the field Fi is determined by defining its field- 
value to be p given in (5). If p be expressed in base Pi by 


m, -1 m, -2 
LEO WE T X ETT 
AS i Pi ub oT? 


then this field-element will have the component form (eo; £108 p 

(7) The above procedure defines a bijection between the letters ri 

(n-graph) of each ^ and the elements of field Fi In the case where 
m. m. 


- 1 = - = i 
Ni P. * 1 and p Ni 1 Pi 
corresponding A will be œ, 


the "field element" assigned to the 


(8) The n-graphs of a plain-text which appear in sub-alphabet ^i are 
now enciphered with the aid of the function Pi (x) (or R; G9) by any of 
the methods as described in 835,5. (This implies the cipher substitute 
of an n-graph in A will also be one in Ai) 


To illustrate the various phases of the above procedure consider the 
following examples. 


Example 1. Consider the case of digraphic encipherment, n = 2, L = 26, 
with alphabet P the normal alphabet with assigned numerical values 
As0,B251,...,2225. N= 26? is decomposed into 

26° 2.1 «135^ © (351) + (SH 1). N97 «34, a 13^ «160; 


1 2 
Nz = N4 = 82; N} +N, = 512, N} +N, +N, = 594. As A e Aj e A e Ay. 


1 3 4 
A digraph à is in A if 0 < c < 342, in A, if 343 < o < 511, in As if 
512 < ø < 593, in As if 594 < o < 675. The digraph à = RM = (17, 12) 
has o = 17 x 26 + 12 = 454. Hence RM is placed in As. From the defi- 


nition of p (with i = 2), p = G - N, = 111, which when converted to 


1 
base 13 (A, associated with GF(13*)) gives field-value 111 in 

2 
GF(13") = (8, 7) in component form. Hence in the bijection of A, with 


cr(132) RM corresponds to element (8, 7). 


CRYPTOLOGIA 


Consider now the GF(75) generated by primitive polynomial e -t-5; 
GF(13*) by t? + t + 2; and GF(37) (for both Az, A,) generated by 

ew * 2t * 2. The four permutation functions to be used in encipherment 
are: for A :yex +a; for A, ry X tbi 

for As ye cs 1/Q? +1); for A, :y = a+ 1/ + 1). The 


parameter (key-values) are to be defined by: 


Aj: aj=(1, 0, 2)a, , + (2, 3, 6); a," 2, 4, 5), 
Aj: bi-(7, 8)b; 4 3 b}=(7, 10), 

As: e, 0, 0, 0)c 4 $ ea, 17:0; 1); 
Ay: d;*(1, 0, 0, O)d; | ; dj*Q, 2, 2, 0). 


The encipherment of PERMUTATION POLYNOMIALS takes the form: 


January 1977 86 


(a) PE RM UT 

(b) 394 = A, 454 = A, 539 = A, 

(c) 51 = (3, 12) 111 = (8, 7) 27 = (1, 0, 0, 0) 
(d) (7, 10) = bi (12, 8) = b, (13 1;°6) 3) = 2 
(e) (9, 8) = y, (6, 10) = y, GQ, 1, 2, 0) = y; 
(f) 125 88 42 

(g) 468 = (18, 0)* 431 = (16, 15)* 554 = (21, 8)* 
(h) SA QP VI 

(a) AT IO NP 

(b) 19 = A, 222 = A, 353 = A, 


(c) 19 = (0, 2, 5) 222 = (4, 3, 5) 10 = (0, 10) 
(à (2, 4,5) =a, (6,4,1) =a, (3, 0) =b 
(e) (4; 3, 4) =y} (2,5, 0 =y; (3, 4) = y6 


(f) 221 133 43 

(g) 221 = (8, 13)* 133 = (5, 3)* 386 = (14, 22)* 
(h) IN FD ow 

(a) OL YN OM 

(b) 375 = A, 637 = A, 376 = A, 

(c) 32 = (2, 6) 43 = (1, 1, 2, 1) 33 = (2, 7) 

(d) (3, 10) = b, (1, 2, 2, 0) = d, (8, 12) = b, 
(e) (4, 11) = y, (1, 0, 2, 2) = yg (5, 6) = yg 

(f) 63 35 71 

(g) 406 = (15, 16)* 629 = (24, 5)* 414 = (15, 24)* 
(h) PQ YF PY 

(a) IA LS 

(b) 208 - A, 304 = A 

(c) 208 = (4, 15) 304 = (6, 1, 3) 

(a) (0, 3, 0) = a, (2, 5, 0) = ay 

(e) (3, 5, 5) = xg (l, 4, 2) = Yi 

(£) 173 79 


CRYPTOLOGIA 


Explanation: (a) = plain digraphs; (b) = values of c; (c) = values of p 
and component form of corresponding field elements; (d) - parameter 
values; (e) = component form of cipher digraph field elements; (f) = 

p values of (e); (g) = c values of (f) converted to base 26 (indicated 
by *); (h) = cipher digraphs. 

Example 2. Here n = 3, L = 26, N= 26°. Alphabet P is to be the nor- 
mal alphabet with assigned numerical values (see (1) this section). 

AB. CD BF GH 1J KLWN OO PG RS TU WV WX 4.2 

3 16 11 23 21 7 18 13 25 0 20 9 2 8 15 14 1 10 24 19 15 12 22 4 17 6 


N= 265 can be decomposed into 265.75 * 36 + 33 + 13, so N 


1 
N. Nw 7 «39. 17,556: Ny +N, +N; = T + 36 « 35 = 17,563; 


N.= 265 = 17,576. The encipherment is by trigraphs. Given trigraph 
À = THE = (19, 13, 21) calculate o = 19 x 262 + 13 x 26 + 21 = 13,203 
(see (3)). Hence THE is in sub-alphabet ^ ( Fy = GF(7°)). Calculate 


p=0o=5x 74 +3x 7 +3x 7 +3x7+ 1 (see (5)), so the compo- 


=7°=16,807; 


nent form of the field element in Fi associated with THE is (5, 3, 3, 

(25, 24, 23) 
gives o = 17,547, so ISD is in Azs and p =o - (Ny + N,) =lls= 1.3* * 
0.3 + 2.1. Hence the field element of Fz = GF (35) associated with ISD 
will have component form (1, 0, 2). 


3, 1). A similar calculation for trigraph à = ISD 


n 


7. Encipherment by use of a single field with q = p > N. 


It is of interest to note that an encipherment process can be formu- 
lated by use of a single field of order p” > N where N equals the num- 
ber of letters in the alphabet A. To consider this idea let F = GF (p^) 
and A = alphabet (A,, A,,...,A ) of N letters, p” > N. Partition the 
elements of F into two sets S = (x), Xas eX)? S' = F-S = Ge ox) 
in any prearranged manner and set up a bijection between the N letters 
of A and the N elements of S. Let y = P(x; ajasta) = P(x; a) be the 


permutation polynomial to be used to carry out the encipherment. 


To encipher plain-text P1P2P; -.. first replace letter P; by its corre- 


January 1977 88 


spondent, say fi, in the bijection, so P 1P3P S at £,f,f, 549r And 


fi e S. Next evaluate P(E); ay? = [^ (where 20) = (a1; 812»: 581) 
'the first set of parameter values). Now if g © S and Rye G by the 
bijection (€, € A), then Pi is enciphered to C. However, if g £ s' 
evaluate P(g), 205) z 5; where the same parameter values aa) are used. 
Again, if & € S and $5 t* Di (of A), then Pi is enciphered to D. 

If g € S' then repeat the procedure, P (g3 aq)? = gz, etc. Since S' 
contains a finite number of elements we must eventually reach a Sy 
such that PG 1; aqp? = gE S. Then Pi is enciphered to Ei where 

g ** Ei, (By oe 8. e S', gy, € S). It follows from the above 
iterative process of encipherment that corresponding to the same set of 
parameter values (a,,... ja) two different plain-text letters must 

be enciphered to two different cipher-text letters. 


We illustrate the above procedure with two examples. 


Example 1. The field is GF(41), (p = 41), and the permutation polynomial 
is y = ax + b, where the a-coefficients are defined by 9n er (mod 41), 
and the b's by bie = bel * ba (mod 41), with bi =1, b3 = 5. The set 
S = (0, 1, 2,...,25), and S' = (26, 27,...,40). The numerical values of 
the letters of alphabet A (= the normal alphabet, N = 26) are given as 


in §6 (A = 3, B = 16,...). We encipher PERMUTATION POLYNOMIALS. 


() PER MU T A T' Ets PO L YSN, Or My bade L.S 
(b 142110 2 S 19 3192515 81415 917 815 225. 3 9 24 
(c) 6 36 11 25 27 39 29 10 19 3228 42421 3 1826 3334 40 35 5 
(d) 21828 912 3 5262429 19 15 32 25 10 2121 25 30 38 28 38 
(e) 1 5 6 1117 28 4 32 36 2722 8 30 3827 2410 34 3 37 40 36 
(£) 3 23 34* 10 29* 31* 9 17 19 15 0 23 21 22 37* 4 31* 18 33* 34* 27* 33* 
()..A.D,G* K.H* E* D.Y:T O0 4 D E.M.Of Beet | GOD, Au B* 


CRYPTOLOGIA 


Explanation: (a) = plain-text; (b) = numerical substitutes = x) 

n i 
(c) = 6 = a; (d) = ax (e) = bs (f) - y, = ax, + b,; (g) = cipher- 
text. In (f) the starred numbers are elements of S', and hence the 


iterative procedure outlined above must be followed. 


The first such case occurs at plain-text R (position 3), enciphered by 


S 
ys = 6 x, + bs = 11 x 10 + 6 = 34, We then proceed by iteration to 


y3 


11 x 34 + 6 = 11 = C cipher. A more elaborate case is position 17, 


plain-text 0, Y17 * ge? x 15 + 10 = 26 x 15 + 10 = 31; after five iter- 


ations we arrive at 26 x 30 + 10 = 11 = C cipher. To decipher, the in- 
verse equation ° oo OG - b) is used together with the same iter- 


ative process where necessary. 


Example 2. In this example an alphabet A of N = 1,000 "letters" is 
used, these consisting of the 26 letters A, B,...,Y, Z; the 26? = 676 
digraphs AA, AB,...,ZZ; and 298 high-frequency trigraphs, making a 
total of 26 + 676 + 298 = 1,000 letters of A. Encipherment is in a 
field gr (115) of order 1 = 1,331, generated by the primitive poly- 
nomial t’ + 10t + 4. The permutation polynomial y = ax? * b is to be 
used in encipherment. The elements of the field are partitioned into 
set S of 1,000 elements and S' of n° - 1,000 = 331 elements. For sim- 
plicity we take S to consist of the 1,000 field elements whose field- 
values are 000, 001,...,999. A bijection is established between the 
1,000 letters of A and these 1,000 field-values,e.g.,A = 000, TH = 789, 


AND = 672, etc. 


To encipher a plain-text divide it into sequences of lengths 1, 2, or 


A aes % Replace 


3 letters consistent with A, giving, say, M eee 
n 


January 1977 90 


sequence ^a by the field element Xn with the field-value as determined 


2 
da ; P = ,ontl = ,n +nt2 *- 3 
by the bijection. Then if a= t 3 ba Xf Oe em by and 


if field element 7 © S its field-value will be the substitute for A 
If LAN S' the iterative process is applied as long as necessary. 


The above procedure is applied to encipher PERMUTATION POLYNOMIALS: 


(a) PER MU TAT ION PO LY NO MI ALS 

(b) 816 079 229 313 472 499 871 075 172 
1102 390 407 693 793 315 583 934 679 

(c) t t t t t t "s m zi 

(a) x! E 110 RE RC RC t b M 

(e) 4 8 n D ED +44 E D 22 

e 

(£) (10,8,9) (8,8,7) (5,0,1) (7,3,10) (6,6,3) (6,8,2) (2,8,5) (6,8,7) (6,10,0) 

(g)  1,307*  1,063* 606 890 795 816 335 821 836 

(h) 861 972 


Explanation: (a) = plain-text as letters of A; (b) = numerical substi- 
tutes for these letters as given by the bijection (these numbers were 

selected arbitrarily for the purpose of this illustration); (c) = power 
form of elements of GF(11°) regarding (b) as the field-values of these 


Ln. n7+n+2 


elements (c) = x ; (d) = (e) = bn =t ; (f) = component 


a > 
n n 
form of Yos ax * ba) (g) 


field-values of elements va (the first two 
marked * have to be reenciphered as they are > 999); (h) = field-values 
of Yi» Y2 after reencipherment. The cipher-text would be taken as 

861 972 606 890 795 816 335 821 836 since converting these to alphabet 
letters would create an ambiguity in decipherment since cipher letters 
would customarily be written in groups of five. 


1/3 1/3 _ ,887 


To decipher, the formula x = [(y - b)/a] =t is used. 


with t 
Thus, to decipher the first group 861 = (7,1,3), 

= [(7,1,3) - 1,7,09/:]5 = [(6,5,3)/:4) 3 = (4661,,5 1/5 , 219 , 
Ko = 1,307 field-value. As 1,307 > 999 we repeat the process 
starting with 1,307. This gives 


CRYPTOLOGIA 


13. at% 1/3 . £215.,1/3 


4 
[((10,8,9) - (1,7,0)/t ] ) 
= 215.887 = D102 = 816 field-value, 


»* 
" 


giving PER plain-text. 


8. Concluding remarks. The carrying out by hand of the calculations 
required in the examples described in the previous sections is time- 
consuming, even when a complete power table (as in Figure 1l) of a field is 
known. The use of some type of computer would appear to be a practical 
necessity. As has been observed in other mathematical systems (e.g., the 


Hill system) this is not an uncommon requirement. 


REFERENCES 

1. J. D. Alanen and D. E. Knuth, Tables of finite fields, Sankhya, Ser. A. 
26 (1964), 305-328. 

2. A. A. Albert, Fundamental concepts of higher algebra, Univ. of Chicago 
Press, Chicago, 1956. 

3. W. H. Bussey, Galois field tables for prs 169, Bull. Amer. Math. Soc. 
12 (1905), 22-38. 

4, » Tables of Galois fields of order less than 1000, Bull. 
Amer. Math. Soc. 16 (1910), 188-206. 

5. L. Carlitz, Permutations in a finite field, Proc. Amer. Math. Soc. 4 
(1953), 538. 


6. » A theorem on permutations in a finite field, Bull. Amer. 
Math. Soc. 66 (1960), 456-459. 


75 » Some theorems on permutation polynomials, Bull. Amer. 
Math. Soc. 68 (1962), 120-122. 

8. , Permutations in a finite field, Acta Sci. Math. 24 (1963), 
196-205. 


9. R. D. Carmichael, Groups of finite order, Ginn and Co., New York, 1937. 
10. R. Church, Tables of irreducible polynomials for the first four prime 
moduli, Annals of Math. 36 (1935), 198-209. 
ll. L. E. Dickson, Analytic functions suitable to represent substitutions, | 


Amer. J. Math. 18 (1896), 210-218. | 


January 1977 92 


12. 


13. 


14. 


15. 


16. 


17. 


18. 


19. 


20. 


21. 


22. 


» The analytic representation of substitutions of a power 
of a prime number of letters with a discussion of the linear group, 
Annals of Math. 11 (1896-97), 65-120, 162-183. 

, Linear Groups, Dover Publications, New York, 1958. 
K.D. Fryer, Note on permutations in a finite field, Proc. Amer. 

Math. Soc. 6 (1955), 1-2. 

W. Nübauer, Über eine Klasse von Permutationpolynomen und die dadurch 
dargestellten Gruppen, J. Reine Angew. Math. 231 (1968), 216-219. 

L. Redei, Über eindeutig umkehrbare Polynome in endlichen Korpern, 
Acta Sci. Math. Szeged 11 (1946-48), 85-92. 

W. Stahnhe, Primitive binary polynomials, Math. of Comp. 27 (1973), 
977-980. 

J. D. Swift, Construction of Galois fields of characteristic two and 
irreducible polynomials, Math. of Comp. 14 (1960), 99-103. 

E. J. Watson, Primitive polynomials (mod 2), Math. of Comp. 16 
(1962) , 368-369. 

E. B. Weinberger, The determination and group properties of minimum 
functions in a Galois field, Ph.D. Thesis, Univ. of Pittsburgh (1950). 
Charles Wells, Groups of permutation polynomials, Monatsh. Math. 71 
(1967), 248-262. 

K. S. Williams, Note on Dickson's permutation polynomials, Duke Math. 
J. 38 (1971), 659-665. 


CRYPTOLOGIA 


POE CHALLENGE CIPHER FINALLY BROKEN 


Brian J. Winkel 


During the spring semester of 1975 I taught a cryptology course at Al- 
bion College. The course was open to all students and since the re- 
sponse was overwhelming I took 20 students on a first come, first serve 
basis. It was a general course, using a low level cryptanalysis text 
[8] supported by the book in cryptology [5]. We touched on many topics 
from history, literature and espionage, to cryptograms, various cipher 
schemes and their cryptanalysis, and computer encryption. For example 
we had discussions and presentations on the "Shakespearean" ciphers, 

a computer simulation of a Japanese rotor machine, secret ink usage, 
and the lack of security in linear feedback shift register sequences 


for key stream generation. This was a broad survey course. 


As you might imagine, in any first attempt there were students whose 
enthusiasm dwindled. But there were students whose interest and par- 
ticipation grew. Among the latter was Mark Lyster, a senior chemistry 
major. Mark particularly enjoyed the elementary cryptanalysis we 
covered and he always had ideas on new attacks. He also gave the 


demonstration on secret inks. 


It was late on the Sunday evening before the last week of classes 
when I received a phone call from Mark. He had been going over some 
of the materials on Edgar Allen Poe which I had placed on reserve at 


the library. He believed he was on to something. 


In his column of December 18, 1839 in Alexander's Weekly Messenger 


[Philadelphia] Poe had challenged his readers to submit cryptograms 
(monoalphabetic substitutions) to him. He would "...read it forth- 
with---however unusual or arbitrary may be the characters employed" 
[1, p. 58]. In his February 26, 1840 column Poe discussed a message 
submitted by a G. W. Kulp [1, p. 92]. Poe showed that "...Mr. Kulp's 


January 1977 94 


puzzle is not genuine" [1, p. 94]. In fact, Poe demonstrated, in 
his own words, "...as absolutely conclusive as any mathematical one 
can be," [1, p. 94] that the message was "...an imposition---that 
is to say, we fully proved it a jargon of random characters, having 
no meaning whatsoever." This last quote is from an essay by Poe, 
"A Few Words on Secret Writing," written a year after his demonstra- 
tion in the Messenger [7, p. 34]. See [3, p. 270] for more details 
,On the essay itself. It was the Kulp message that Mark wanted to 
discuss. 


Incidentally the Kulp message along with much of Poe's other materials 
from the Messenger were lost to scholars until their recovery and re- 
publication in 1942 [1]. Previous to that time William F. Friedman 
had published two scholarly works on Poe as cryptographer [3, 4]. 

In 1943 William K, Wimsatt, Jr., a distinguished professor of English 
literature at Yale, published his scholarly work, "What Poe Knew About 
Cryptography," [9] in which the Kulp message is glanced over in a few 
sentences [9, p. 761]. Wimsatt must have been in touch with Fried- 
man concerning the newly found Poe material for he acknowledges 
Friedman's expert advice at the same time he acknowledges receipt of 
"photostatic copies of the Poe items in the American Antiquarian So- 
ciety Alexander's" [9, p. 754]. Unfortunately Professor Wimsatt 

died in 1975. And so, taken together with William Friedman's earlier 
death it can only be presumed that both men saw the Kulp message and 
either accepted Poe's proof without questioning the real cipher used 
by Kulp or chose not to devote any time to it. It is unlikely that 
had they asked themselves about the technique used by Kulp, they 
would have left it unnoticed, for there was great interest in the use 
of symbolism in American letters, enough to merit the pursuit of any 
trail in this area. Moreover, there were serious doubts about Poe's 
real ability, as well as his integrity, in the field of cryptology 
[6, p. 103; 2, pp. 28-29]. 


I knew all of this as Mark spoke and I myself had glanced through Poe's 


95 


CRYPTOLOGIA 


rather nice proof of the impossibility of the Kulp message, never ask- 
ing the important question, "What was Kulp's message?" Mark had done 
what teachers preach and, too often, do not practice. He began to ask 
the question, "What cipher system did G. W. Kulp of Lewiston, Pennsyl- 
vania, use in his(her) secret message of 1841?" Mark had used some 
computer programs, prepared by two students in our class, to do some 
statistical tests on the message. All of the notions used were taken 
from [8]. After several computer runs and some judicious guessing he 
believed he was getting some plain text. He was excited; I was ex- 
cited. We worked off and on through our class breaks on Monday and 

by that night we had it. We did not break the Japanese Purple Ma- 
chine! The message had little, if any, literary value! And, it was 
not all that hard, in hindsight! 


But one of my students had dared to ask and then seek the answer with 
tools available from our course. With help from me, the teacher, he 
broke the message. That made my day, my week; in fact, it made the 
course for me. 


We want you to give the message a try. We reproduce it below. Some 
final comments are worth noting. Poe said in his July 1841 article 
that "...had it been a 'genuine article', it would not have been writ- 
ten in as free and running a hand as it is---a hesitation would have 
been apparent about the characters" [1, p. 92]. We determined 

several errors. You should make your own conclusions as to the nature 
of these errors. We have several possible answers which we shall not 
suggest to you, but we suggest you send us your solution to the cryp- 
togram with some idea as to how you did it along with your conjectures 
on the errors. We shall list solvers and interesting points on solu- 


tions and the errors in a future issue of CRYPTOLOGIA. 


Ge Jeasgdxv, 


Zij gl mw, £aam, xzy zmlwhfzek ejlvdxw 
kwke tx lbr atgh lbmx aanu bai Vsmukkss pwn 
vlwk agh gnumk wdlnzweg jnbxvv oaeg enwb 
zwmgy mo méw wnbx mw al pnfdcfpkh wzkex 
hssf xkiyahul. Mk num yexdm wbxy sbc hv 


wyx Phwkgnamcuk? 


January 1977 96 


REFERENCES 

1. Clarence S. Brigham, "Edgar Allen Poe's Contributions to Alexan- 
der's Weekly Messenger", Proceedings of the American Antiquarian 
Society, April, 1942, pp. 45-125. 

2. Killis Campbell, The Mind of Poe and Other Studies, Harvard Uni- 
“versity Press, Cambridge, Massachusetts, 1933. 

*3. William F. Friedman, "Edgar Allen Poe, Cryptographer", American 
Literature, 8 (November, 1936) pp. 226-280. (Reprinted in Sig- 
nal Corps Bulletin, No. 97 (July-September, 1937) pp. 41-53.) 

*4. William F. Friedman, "Edgar Allen Poe, Cryptographer (Addendum)" 
Signal Corps Bulletin, No. 98 (October-December, 1937) pp. 54-75. 

5. David Kahn, The Codebreakers: The Story of Secret Writing, Mac- 
millan, New York, 1967. 

6. Joseph W. Krutch, Edgar Allen Poe: A Study in Genius, Alfred A. 

Knopf, New York, 1926. 

Edgar Allen Poe, "A Few Words on Secret Writing", Graham's Magazine, 

19 (July, 1841) pp. 33-38. 

Abraham Sinkov, Elementary Cryptanalysis, A Mathematical Approach, 

Random House, New York, 1968. [Now available in The New Mathematical 

Library of the Mathematical Association of America, Washington, D.C.] 

9. William K. Wimsatt, Jr., "What Poe Knew About Cryptography", 


Publications of the Modern Language Association, 58 (1945) pp. 
754-779. 


*Editor's Note: Both Friedman articles were reprinted in Articles on 
Cryptography and Cryptanalysis Reprinted from the Signal Corps "Bul- 
letin", Government Printing Office, Washington, 1942 and are currently 
available in Cryptography and Cryptanalysis Articles, Vol. II, Ed. 


William F. Friedman, Aegean Park Press, Laguna Hills, California, 1976. 


CRYPTOLOGIA 


Biographies of Contributors 


Cipher A. Deavours is an Associate Professor of Mathematics at Kean 
College, Union, New Jersey. His interest in cryptology dates back sev- 
eral years when he came across a copy of David Kahn's The Codebreakers. 
Although he is one of the founders of CRYPTOLOGIA, his major research 
interests lie in partial differential equations and quaternion function 
theory. We will not tell you how he got his name. 


David Kahn is the author of The Codebreakers and of numerous magazine 
articles on cryptology. Born in New York City in 1930, he was awarded 
the BA from Bucknell University in 1951 and the PhD in modern history 
from Oxford University in 1974. He has worked as a reporter for 
Newsday, the Long Island daily, and as a news-desk editor for the Inter- 


national Herald Tribune in Paris. At present he is an Associate Pro- 


fessor of Journalism at New York University and is completing a book on 


German military intelligence in World War II. 


Brian J. Winkel is an Assistant Professor of Mathematics at Albion 
College. His background in cryptology includes work at the National 
Security Agency and a course in cryptology which he taught at Albion 
College. His main interest is bringing applications of mathematics 
(cryptology included) into all of his classes. Currently these appli- 
cations extend from mathematical models in biomedical sciences to 
linear programming for decision making. We are not sure just where 


cryptology goes in that spectrum. 


Barbara Harris is a member of the American Cryptogram Association and 
works in the field of computer science. She has done some very nice 
work in deciphering interesting diary material. She displays additional 
cleverness by living in New York City and commuting to her job outside 
the city, thus watching the traffic while in motion, not at a standstill. 


We hope to hear from Barbara on a regular basis 


January 1977 98 


Louis Kruh, a public relations executive, has been interested in cryp- 
tology for over 30 years. He is an active member of the American Crypto- 
gram Association serving as Book Review Editor for The Cryptogram, the 
Association's magazine. Lou has a sizeable collection of material on 
cryptology and a number of cipher devices and machines, the latter being 
his main interest. He has done considerable research and writing on the 
subject and one of his articles on the M-94 appeared in The Irish Defense 
Journal. He served with the 94th Infintry Division in World War II until 
wounded in action and afterwards was assigned to the Stars and Stripes. 
He received his BBA, cum laude, from the City College of New York and 
his MBA, with distinction, from Pace University. His thesis was a 212 
Page report on pubiic relations and secrecy, and the National Security 


Agency. 


Greg Mellen is a staff engineer in the Sperry Univac Civilian Agency 
Systems Engineering department. He is a strong supporter of the Amer- 
ican Cryptogram Association while taking his place as one of the best 
solvers in the ACA. His training in classics, computer science and air 
traffic control, yes ATC, make him an eclectical cryptologist, the best 
kind. Greg has long been interested in nonnumerical applications of 


computers. 


Lloyd Greenwood is a principal engineer in the Sperry Univac Command 
and Control Systems Engineering department. His special interest 


is computer simulation. 


James Reeds received his AB (The University of Michigan, 1969) and MA 
(Brandeis, 1972) in mathematics and his PhD (Harvard, 1976) in statistics. 
He will be teaching statistics at the University of California, Berkeley. 
He has always been interested in cryptanalysis, and after reading The 
Codebreakers in college he began using mathematics and computers in 
cryptanalysis. He is most interested in statistical methods for break- 


ing machine ciphers. 


CRYPTOLOGIA 


Jack Levine received his AB degree from U.C.L.A. and his PhD (Mathematics) 
from Princeton University. He is recently retired from his position of 
Professor of Mathematics at North Carolina State University. His inter- 
est in the general area of cryptology covers a period of many years and 
many topics including computer generated pattern word lists and algebraic 
(matrix) cryptography. He has published a number of articles on this 


subject singly and together with his student, Joel V. Brawley. 


Joel V. Brawley received his BS degree and his PhD (Mathematics) at 
North Carolina State University. He is now Professor of Mathematics at 
Clemson University. As a member of the Visiting Lecturers Program of 
the Mathematical Association of America since 1968 he has spoken at 


numerous colleges on various aspects of algebraic cryptology. 


January 1977 100 


Epilogue 
For those who knew we were coming and who waited so long, we trust your 
patience was rewarded. For those who might be disappointed let us have 


your suggestions. For those who are excited by the prospect CRYPTOLOGIA 
offers, come, give us your ideas. 


Notice to Authors 


All papers related to cryptology will be considered. Send articles to: 
CRYPTOLOGIA, Albion College, Albion, Michigan 49224. Three copies 
should be submitted and one kept by the author as a protection against 
loss. Manuscripts must be legibly typewritten or reproduced from 
typewritten copy and double spaced with wide margins. Adhere to the 
footnoting style presented here. Diagrams should be done in black ink 


suitable for photo-offset reproduction. Photographs must be clear. 


While ultimate responsibility for the accuracy of material lies with 
the author, we shall do our best, through checking and consultations, 


to help insure accuracy. 


Nonsubscribers to CRYPTOLOGIA will receive a copy of the issue in 


which their article appears. 


Subscription Information 


We shall be attempting to produce four issues per year. Subscription 


rates are as follows: 


Single issues including Four issues beginning with 
back issues: $5.00 per issue. current issue: $16.00. 
Send check to: Send check to: 

Aegean Park Press CRYPTOLOGIA 

P.O. Box 2837 Albion College 


Laguna Hills, CA 92653 4 Albion, MI 49224 


zi 


